From 62c5d16110e67078d6bdd519ceddda7e81c41838 Mon Sep 17 00:00:00 2001 From: Spendlik Date: Thu, 18 Jun 2026 04:16:06 +0000 Subject: [PATCH] Delete 13_vaultwarden_deployment.md --- 13_vaultwarden_deployment.md | 120 ----------------------------------- 1 file changed, 120 deletions(-) delete mode 100644 13_vaultwarden_deployment.md diff --git a/13_vaultwarden_deployment.md b/13_vaultwarden_deployment.md deleted file mode 100644 index f4a7b10..0000000 --- a/13_vaultwarden_deployment.md +++ /dev/null @@ -1,120 +0,0 @@ -# Vaultwarden Deployment — CT 115 - -## Overview - -Self-hosted Bitwarden-compatible password manager. Deployed on CT 115 via Docker Compose, accessible at `vault.spendlik.sk`. - -| Property | Value | -|---|---| -| **Container** | CT 115 | -| **Hostname** | vaultwarden | -| **IP** | 192.168.1.115 | -| **OS** | Debian 13 (privileged LXC, `nesting=1`) | -| **URL** | https://vault.spendlik.sk | -| **Internal port** | 8080 | -| **Data path** | `/opt/vaultwarden/data` | -| **Compose file** | `/opt/vaultwarden/docker-compose.yml` | - ---- - -## Docker Compose - -Located at `/opt/vaultwarden/docker-compose.yml`: - -```yaml -services: - vaultwarden: - image: vaultwarden/server:latest - restart: unless-stopped - volumes: - - ./data:/data - ports: - - "8080:80" - environment: - DOMAIN: https://vault.spendlik.sk - SIGNUPS_ALLOWED: "false" -``` - -> ⚠️ `SIGNUPS_ALLOWED` was set to `"true"` during initial setup to allow account creation, then changed to `"false"` after the admin account was created. - ---- - -## nginx Reverse Proxy (CT 101) - -Config at `/etc/nginx/sites-available/vault.spendlik.sk`: - -```nginx -server { - server_name vault.spendlik.sk; - - location / { - proxy_pass http://192.168.1.115:8080; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/vault.spendlik.sk/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/vault.spendlik.sk/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; -} - -server { - if ($host = vault.spendlik.sk) { - return 301 https://$host$request_uri; - } - listen 80; - server_name vault.spendlik.sk; - return 404; -} -``` - ---- - -## DNS & DDNS - -- A record created manually in WebSupport admin (both DNS pages) before SSL issuance -- `vault.spendlik.sk` added to DDNS updater script in CT 108 - ---- - -## Deployment Steps (for reference) - -1. Create privileged Debian 13 LXC (CT 115, IP 192.168.1.115, `nesting=1`) -2. `apt update && apt upgrade -y && apt install -y nano curl` -3. Install Docker: `curl -fsSL https://get.docker.com | sh` -4. Create `/opt/vaultwarden/docker-compose.yml` with `SIGNUPS_ALLOWED: "true"` -5. `cd /opt/vaultwarden && docker compose up -d` -6. Create DNS A record in WebSupport (both pages) -7. Add `vault.spendlik.sk` to DDNS updater in CT 108 -8. Add nginx vhost in CT 101, enable it, reload nginx -9. Run certbot, inspect config afterwards -10. Test from mobile data (hairpin NAT blocks LAN testing) -11. Create admin account via web UI -12. Install Bitwarden clients on all devices (Zen browser extension, Galaxy S25, Galaxy Tab S9) -13. Set `SIGNUPS_ALLOWED: "false"` in compose file, restart container - ---- - -## Clients - -| Device | Client | -|---|---| -| CachyOS (Zen browser) | Bitwarden browser extension | -| Galaxy S25 | Bitwarden Android app | -| Galaxy Tab S9 | Bitwarden Android app | - -All clients point to `https://vault.spendlik.sk` as the custom server URL. - ---- - -## Notes - -- Certbot config came out clean after SSL issuance (no corruption) -- `SHOW_PASSWORD_HINT` not set — using default -- Admin panel available at `https://vault.spendlik.sk/admin` — token stored in Vaultwarden -- The "Create Account" link remains visible in the UI even with `SIGNUPS_ALLOWED=false` — this is by design in Vaultwarden; registration attempts are rejected server-side -- WebSocket notifications work without separate config in this version