diff --git a/13_vaultwarden_deployment.md b/13_vaultwarden_deployment.md new file mode 100644 index 0000000..f4a7b10 --- /dev/null +++ b/13_vaultwarden_deployment.md @@ -0,0 +1,120 @@ +# Vaultwarden Deployment — CT 115 + +## Overview + +Self-hosted Bitwarden-compatible password manager. Deployed on CT 115 via Docker Compose, accessible at `vault.spendlik.sk`. + +| Property | Value | +|---|---| +| **Container** | CT 115 | +| **Hostname** | vaultwarden | +| **IP** | 192.168.1.115 | +| **OS** | Debian 13 (privileged LXC, `nesting=1`) | +| **URL** | https://vault.spendlik.sk | +| **Internal port** | 8080 | +| **Data path** | `/opt/vaultwarden/data` | +| **Compose file** | `/opt/vaultwarden/docker-compose.yml` | + +--- + +## Docker Compose + +Located at `/opt/vaultwarden/docker-compose.yml`: + +```yaml +services: + vaultwarden: + image: vaultwarden/server:latest + restart: unless-stopped + volumes: + - ./data:/data + ports: + - "8080:80" + environment: + DOMAIN: https://vault.spendlik.sk + SIGNUPS_ALLOWED: "false" +``` + +> ⚠️ `SIGNUPS_ALLOWED` was set to `"true"` during initial setup to allow account creation, then changed to `"false"` after the admin account was created. + +--- + +## nginx Reverse Proxy (CT 101) + +Config at `/etc/nginx/sites-available/vault.spendlik.sk`: + +```nginx +server { + server_name vault.spendlik.sk; + + location / { + proxy_pass http://192.168.1.115:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/vault.spendlik.sk/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vault.spendlik.sk/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +} + +server { + if ($host = vault.spendlik.sk) { + return 301 https://$host$request_uri; + } + listen 80; + server_name vault.spendlik.sk; + return 404; +} +``` + +--- + +## DNS & DDNS + +- A record created manually in WebSupport admin (both DNS pages) before SSL issuance +- `vault.spendlik.sk` added to DDNS updater script in CT 108 + +--- + +## Deployment Steps (for reference) + +1. Create privileged Debian 13 LXC (CT 115, IP 192.168.1.115, `nesting=1`) +2. `apt update && apt upgrade -y && apt install -y nano curl` +3. Install Docker: `curl -fsSL https://get.docker.com | sh` +4. Create `/opt/vaultwarden/docker-compose.yml` with `SIGNUPS_ALLOWED: "true"` +5. `cd /opt/vaultwarden && docker compose up -d` +6. Create DNS A record in WebSupport (both pages) +7. Add `vault.spendlik.sk` to DDNS updater in CT 108 +8. Add nginx vhost in CT 101, enable it, reload nginx +9. Run certbot, inspect config afterwards +10. Test from mobile data (hairpin NAT blocks LAN testing) +11. Create admin account via web UI +12. Install Bitwarden clients on all devices (Zen browser extension, Galaxy S25, Galaxy Tab S9) +13. Set `SIGNUPS_ALLOWED: "false"` in compose file, restart container + +--- + +## Clients + +| Device | Client | +|---|---| +| CachyOS (Zen browser) | Bitwarden browser extension | +| Galaxy S25 | Bitwarden Android app | +| Galaxy Tab S9 | Bitwarden Android app | + +All clients point to `https://vault.spendlik.sk` as the custom server URL. + +--- + +## Notes + +- Certbot config came out clean after SSL issuance (no corruption) +- `SHOW_PASSWORD_HINT` not set — using default +- Admin panel available at `https://vault.spendlik.sk/admin` — token stored in Vaultwarden +- The "Create Account" link remains visible in the UI even with `SIGNUPS_ALLOWED=false` — this is by design in Vaultwarden; registration attempts are rejected server-side +- WebSocket notifications work without separate config in this version