BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

Currently reading
Docker BitWarden - self hosted password manager using vaultwarden/server image

351
91
NAS
DS418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
The only issue I had was reassigning the port. Even though mprasil was stopped, Docker wouldn't allow me to use the same port. So I set mprasil container to "auto" to release the port.
Same here. Just changed ports in mprasil to something else, set the new container, then deleted mprasil. Works like a charm.
 

Telos

Subscriber
1,484
500
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
When you set up Docker/Bitwarden, do you create a new user (ex., Bitwarden), adding its ID to the environmental variables and giving it rights to the "docker/bitwarden" folder/files (and nothing else).
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When you set up Docker/Bitwarden, do you create a new user (ex., Bitwarden), adding its ID to the environmental variables and giving it rights to the "docker/bitwarden" folder/files (and nothing else).
No, you create a new user via BW web page later on. But, if you are looking to further protect BW on file level you can create a separate DSM account that has permissions to that folder only and usage of Docker. Not sure I understood your question so not sure if this answers it.
 

Telos

Subscriber
1,484
500
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
No, you create a new user via BW web page later on. But, if you are looking to further protect BW on file level you can create a separate DSM account that has permissions to that folder only and usage of Docker. Not sure I understood your question so not sure if this answers it.
It seems the default install gives the container your admin uid, and that seems undesirable. Containers should run isolated... yes?
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Well as I said you can run it under a different user if you wish. I have admin account disabled for all dsm operations. Running it with a separate account (all of dsm that is)
 
28
2
NAS
DS718+
Last edited:
Interesting thread and tutorial. I've been running Bitwarden for at least a year now following this tutorial Bitwarden Self-Hosted Password Manager on Docker

Running without problems over https, apart from notifications (auto updates in app) being unreliable (works off and on).

So I was wondering should I switch to this image?
Does it have notifications (auto updates in app)?
Is the support for organisations free, or does it also require a license, like my installation?
When can we expect the https tutorial?

Oh and can I migrate in a similar way as you had to migrate from mprasil to bitwardenrs, i.e. pointing to the data folder? Or are they too different and will config files confuse bitwardenrs?
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When can we expect the https tutorial?
https in this case can be easlly done with revers proxy, so no need to activate https on BW level (you can check resources section for revers proxy tutorial).

Does it have notifications (auto updates in app)?
If the question is autoupdate of vault towards client apps the answer is yes. Notifications can also be configured: dani-garcia/bitwarden_rs

Is the support for organisations free, or does it also require a license, like my installation?
Yes, you can add organizations for free
 
47
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+
About Notification and push updates:
My iOS client does not synchronize automatically - I have to force sync in the preferences.

Is this due the lack of WebSocket?
Does the docker image support Live Sync out of the box?

If I have to set up WebSocket separately could you elaborate how to set it up using Synology Docker?
(dani-garcia/bitwarden_rs was not clear enough for me)

Thanks! Best regards,
paradeiser
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
web socket method is supported with this docker image.
 
47
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+
web socket method is supported with this docker image.
So the question is how to set up Reverse Proxy in DSM to proxy
'/notifications/hub' to the websocket server on port xx3012
( and '/notifications/hub/negotiate' still to port xx80 )

right?
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Was really busy yesterday, so will get back to you on this one later today or tomorrow.
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Had a look at the instructions and even tho this docker image boots up with websocket active on port 3012 (default) there are 2 things that need to be done here. 1st is to add another env varaible to active websocket and 2nd is to configure a custom nginx (revers proxy) configuration file for this site. The reason is that by default, nginx that runs in the background of DSM is protecting default conf files, and considering there is a need to create multiple custom locations insider a single RP entry (one for hub and one for negotiate), there will be a need to make a custom file. These options are not possible via DSM Application portal (RP) settings, so ssh will be needed.

Haven't tried it as of yet, but I see no reason for this not to work. Will test this later today when I get some free time considering that there will be a need to reconfigure BW to use that custom conf file and not the default one.
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So the question is how to set up Reverse Proxy in DSM to proxy
'/notifications/hub' to the websocket server on port xx3012
( and '/notifications/hub/negotiate' still to port xx80 )

right?
Managed to get some time to work this method out. As the instructions on GitHub state there is a need to configure specific path to be pushed on specific ports. This is not possible via DSM Revers proxy UI, but it can be done via SSH.

Will post and update on the resource now
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Rusty updated BitWarden - self hosted password manager using bitwardenrs/server image with a new update entry:

Bitwarden WebSocket LiveSync

This update will focus on the "LiveSync" feature that offers BW users instant sync of any updates across platforms. So for example, if you add a new entry using the web UI that same entry will be visible in any web browser extension as well as your mobile app. The process works in all directions and its really instant.

This is possible using the websocket protocol. Considering that the official version (paid) method will not work with this custom one, developers have offered an alternative...

Read the rest of this update entry...
 
47
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+
Thank you very much for the WebSocket update.
I got it working!

Just a little hint to the certificates:
look in
/usr/syno/etc/certificate/_archive
for your certificates, open INFO in vi to check which path points to your Bitwarden certificate. Adapt your .conf file according to this path like
ssl_certificate /usr/syno/etc/certificate/_archive/XXXXXX/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/_archive/XXXXXX/privkey.pem;

@Rusty: Do you know if the Letsencrypt Update till works?
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thank you very much for the WebSocket update.
I got it working!

Just a little hint to the certificates:
look in
/usr/syno/etc/certificate/_archive
for your certificates, open INFO in vi to check which path points to your Bitwarden certificate. Adapt your .conf file according to this path like
ssl_certificate /usr/syno/etc/certificate/_archive/XXXXXX/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/_archive/XXXXXX/privkey.pem;

@Rusty: Do you know if the Letsencrypt Update till works?
Glad you got it working. Just one thing regarding cert. Use the live not archive folder from LE but yes, the idea is the same and it should survive the cert update.
 
364
144
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
So I am not as smart as I would like to think I am, apparently.
I am having trouble figuring out some details of the method to set up Websocket Livesync. I apologize if my questions are a little stupid.

In particular:

I am having trouble determining the live (not archive) folder where my certificates live.
Paradeiser says to look in /usr/syno/etc/certificate/_archive and to open INFO to see which path points to the Bitwarden certificate.
But looking at my INFO file doesn't tell me this. Here's what my INFO file looks like:
{
"8S5PFq" : {
"desc" : "",
"services" : [
{
"display_name" : "Log Receiving",
"display_name_i18n" : "helptoc:logcenter_server",
"isPkg" : true,
"owner" : "root",
"service" : "pkg-LogCenter",
"subscriber" : "LogCenter"
},
{
"display_name" : "FTPS",
"isPkg" : false,
"owner" : "root",
"service" : "ftpd",
"subscriber" : "smbftpd"
},
{
"display_name" : "DSM Desktop Service",
"display_name_i18n" : "common:web_desktop",
"isPkg" : false,
"owner" : "root",
"service" : "default",
"subscriber" : "system"
}
]
},
"flTQwN" : {
"desc" : "",
"services" : []
}
}
So which of these is bitwarden related? Is it, by the process of elimination, flTQwN?
 
47
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+
So I am not as smart as I would like to think I am, apparently.
I am having trouble figuring out some details of the method to set up Websocket Livesync. I apologize if my questions are a little stupid.

In particular:

I am having trouble determining the live (not archive) folder where my certificates live.
Paradeiser says to look in /usr/syno/etc/certificate/_archive and to open INFO to see which path points to the Bitwarden certificate.
But looking at my INFO file doesn't tell me this. Here's what my INFO file looks like:
{
"8S5PFq" : {
"desc" : "",
"services" : [
{
"display_name" : "Log Receiving",
"display_name_i18n" : "helptoc:logcenter_server",
"isPkg" : true,
"owner" : "root",
"service" : "pkg-LogCenter",
"subscriber" : "LogCenter"
},
{
"display_name" : "FTPS",
"isPkg" : false,
"owner" : "root",
"service" : "ftpd",
"subscriber" : "smbftpd"
},
{
"display_name" : "DSM Desktop Service",
"display_name_i18n" : "common:web_desktop",
"isPkg" : false,
"owner" : "root",
"service" : "default",
"subscriber" : "system"
}
]
},
"flTQwN" : {
"desc" : "",
"services" : []
}
}
So which of these is bitwarden related? Is it, by the process of elimination, flTQwN?
I'm away from my synology atm. but as far as I remember I set up reverse proxy using the gui first, then created a certificate just for this subdomain and then removed the RP setting und the GUI to create the RP file using terminal. maybe that's why I had one specific certificate for bitwarden.
hope that helps.
 

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So I am not as smart as I would like to think I am, apparently.
I am having trouble figuring out some details of the method to set up Websocket Livesync. I apologize if my questions are a little stupid.

In particular:

I am having trouble determining the live (not archive) folder where my certificates live.
Paradeiser says to look in /usr/syno/etc/certificate/_archive and to open INFO to see which path points to the Bitwarden certificate.
But looking at my INFO file doesn't tell me this. Here's what my INFO file looks like:
{
"8S5PFq" : {
"desc" : "",
"services" : [
{
"display_name" : "Log Receiving",
"display_name_i18n" : "helptoc:logcenter_server",
"isPkg" : true,
"owner" : "root",
"service" : "pkg-LogCenter",
"subscriber" : "LogCenter"
},
{
"display_name" : "FTPS",
"isPkg" : false,
"owner" : "root",
"service" : "ftpd",
"subscriber" : "smbftpd"
},
{
"display_name" : "DSM Desktop Service",
"display_name_i18n" : "common:web_desktop",
"isPkg" : false,
"owner" : "root",
"service" : "default",
"subscriber" : "system"
}
]
},
"flTQwN" : {
"desc" : "",
"services" : []
}
}
So which of these is bitwarden related? Is it, by the process of elimination, flTQwN?
by the looks of it none of those certs is assigned to your BW revers proxy. If it was then it would be listed. I can confirm that this location is the correct one to be sure which one of your certs is assigned.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top