Add Vaultwarden deployment guide (CT 115)

2026-06-18 04:12:21 +00:00 · 2026-06-18 04:12:21 +00:00 · 5d64492ece
commit 5d64492ece
parent 416c8a2e9a
1 changed files with 120 additions and 0 deletions
--- a/13_vaultwarden_deployment.md
+++ b/13_vaultwarden_deployment.md
@ -0,0 +1,120 @@
+# Vaultwarden Deployment — CT 115
+
+## Overview
+
+Self-hosted Bitwarden-compatible password manager. Deployed on CT 115 via Docker Compose, accessible at `vault.spendlik.sk`.
+
+| Property | Value |
+|---|---|
+| **Container** | CT 115 |
+| **Hostname** | vaultwarden |
+| **IP** | 192.168.1.115 |
+| **OS** | Debian 13 (privileged LXC, `nesting=1`) |
+| **URL** | https://vault.spendlik.sk |
+| **Internal port** | 8080 |
+| **Data path** | `/opt/vaultwarden/data` |
+| **Compose file** | `/opt/vaultwarden/docker-compose.yml` |
+
+---
+
+## Docker Compose
+
+Located at `/opt/vaultwarden/docker-compose.yml`:
+
+```yaml
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    restart: unless-stopped
+    volumes:
+      - ./data:/data
+    ports:
+      - "8080:80"
+    environment:
+      DOMAIN: https://vault.spendlik.sk
+      SIGNUPS_ALLOWED: "false"
+```
+
+> ⚠️ `SIGNUPS_ALLOWED` was set to `"true"` during initial setup to allow account creation, then changed to `"false"` after the admin account was created.
+
+---
+
+## nginx Reverse Proxy (CT 101)
+
+Config at `/etc/nginx/sites-available/vault.spendlik.sk`:
+
+```nginx
+server {
+    server_name vault.spendlik.sk;
+
+    location / {
+        proxy_pass http://192.168.1.115:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/vault.spendlik.sk/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vault.spendlik.sk/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+    if ($host = vault.spendlik.sk) {
+        return 301 https://$host$request_uri;
+    }
+    listen 80;
+    server_name vault.spendlik.sk;
+    return 404;
+}
+```
+
+---
+
+## DNS & DDNS
+
+- A record created manually in WebSupport admin (both DNS pages) before SSL issuance
+- `vault.spendlik.sk` added to DDNS updater script in CT 108
+
+---
+
+## Deployment Steps (for reference)
+
+1. Create privileged Debian 13 LXC (CT 115, IP 192.168.1.115, `nesting=1`)
+2. `apt update && apt upgrade -y && apt install -y nano curl`
+3. Install Docker: `curl -fsSL https://get.docker.com | sh`
+4. Create `/opt/vaultwarden/docker-compose.yml` with `SIGNUPS_ALLOWED: "true"`
+5. `cd /opt/vaultwarden && docker compose up -d`
+6. Create DNS A record in WebSupport (both pages)
+7. Add `vault.spendlik.sk` to DDNS updater in CT 108
+8. Add nginx vhost in CT 101, enable it, reload nginx
+9. Run certbot, inspect config afterwards
+10. Test from mobile data (hairpin NAT blocks LAN testing)
+11. Create admin account via web UI
+12. Install Bitwarden clients on all devices (Zen browser extension, Galaxy S25, Galaxy Tab S9)
+13. Set `SIGNUPS_ALLOWED: "false"` in compose file, restart container
+
+---
+
+## Clients
+
+| Device | Client |
+|---|---|
+| CachyOS (Zen browser) | Bitwarden browser extension |
+| Galaxy S25 | Bitwarden Android app |
+| Galaxy Tab S9 | Bitwarden Android app |
+
+All clients point to `https://vault.spendlik.sk` as the custom server URL.
+
+---
+
+## Notes
+
+- Certbot config came out clean after SSL issuance (no corruption)
+- `SHOW_PASSWORD_HINT` not set — using default
+- Admin panel available at `https://vault.spendlik.sk/admin` — token stored in Vaultwarden
+- The "Create Account" link remains visible in the UI even with `SIGNUPS_ALLOWED=false` — this is by design in Vaultwarden; registration attempts are rejected server-side
+- WebSocket notifications work without separate config in this version