# Vaultwarden Deployment — CT 115

## Overview

Self-hosted Bitwarden-compatible password manager. Deployed on CT 115 via Docker Compose, accessible at `vault.spendlik.sk`.

| Property | Value |
|---|---|
| **Container** | CT 115 |
| **Hostname** | vaultwarden |
| **IP** | 192.168.1.115 |
| **OS** | Debian 13 (privileged LXC, `nesting=1`) |
| **URL** | https://vault.spendlik.sk |
| **Internal port** | 8080 |
| **Data path** | `/opt/vaultwarden/data` |
| **Compose file** | `/opt/vaultwarden/docker-compose.yml` |

---

## Docker Compose

Located at `/opt/vaultwarden/docker-compose.yml`:

```yaml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./data:/data
    ports:
      - "8080:80"
    environment:
      DOMAIN: https://vault.spendlik.sk
      SIGNUPS_ALLOWED: "false"
```

> ⚠️ `SIGNUPS_ALLOWED` was set to `"true"` during initial setup to allow account creation, then changed to `"false"` after the admin account was created.

---

## nginx Reverse Proxy (CT 101)

Config at `/etc/nginx/sites-available/vault.spendlik.sk`:

```nginx
server {
    server_name vault.spendlik.sk;

    location / {
        proxy_pass http://192.168.1.115:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/vault.spendlik.sk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.spendlik.sk/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = vault.spendlik.sk) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name vault.spendlik.sk;
    return 404;
}
```

---

## DNS & DDNS

- A record created manually in WebSupport admin (both DNS pages) before SSL issuance
- `vault.spendlik.sk` added to DDNS updater script in CT 108

---

## Deployment Steps (for reference)

1. Create privileged Debian 13 LXC (CT 115, IP 192.168.1.115, `nesting=1`)
2. `apt update && apt upgrade -y && apt install -y nano curl`
3. Install Docker: `curl -fsSL https://get.docker.com | sh`
4. Create `/opt/vaultwarden/docker-compose.yml` with `SIGNUPS_ALLOWED: "true"`
5. `cd /opt/vaultwarden && docker compose up -d`
6. Create DNS A record in WebSupport (both pages)
7. Add `vault.spendlik.sk` to DDNS updater in CT 108
8. Add nginx vhost in CT 101, enable it, reload nginx
9. Run certbot, inspect config afterwards
10. Test from mobile data (hairpin NAT blocks LAN testing)
11. Create admin account via web UI
12. Install Bitwarden clients on all devices (Zen browser extension, Galaxy S25, Galaxy Tab S9)
13. Set `SIGNUPS_ALLOWED: "false"` in compose file, restart container

---

## Clients

| Device | Client |
|---|---|
| CachyOS (Zen browser) | Bitwarden browser extension |
| Galaxy S25 | Bitwarden Android app |
| Galaxy Tab S9 | Bitwarden Android app |

All clients point to `https://vault.spendlik.sk` as the custom server URL.

---

## Notes

- Certbot config came out clean after SSL issuance (no corruption)
- `SHOW_PASSWORD_HINT` not set — using default
- Admin panel available at `https://vault.spendlik.sk/admin` — token stored in Vaultwarden
- The "Create Account" link remains visible in the UI even with `SIGNUPS_ALLOWED=false` — this is by design in Vaultwarden; registration attempts are rejected server-side
- WebSocket notifications work without separate config in this version