Spendlik/Claude_Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7f198ed877
Claude_Homelab/115_vaultwarden_deployment.md

3.5 KiB
Raw Blame History

Vaultwarden Deployment — CT 115

Overview

Self-hosted Bitwarden-compatible password manager. Deployed on CT 115 via Docker Compose, accessible at vault.spendlik.sk.

Property Value
Container CT 115
Hostname vaultwarden
IP 192.168.1.115
OS Debian 13 (privileged LXC, nesting=1)
URL https://vault.spendlik.sk
Internal port 8080
Data path /opt/vaultwarden/data
Compose file /opt/vaultwarden/docker-compose.yml

Docker Compose

Located at /opt/vaultwarden/docker-compose.yml:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./data:/data
    ports:
      - "8080:80"
    environment:
      DOMAIN: https://vault.spendlik.sk
      SIGNUPS_ALLOWED: "false"

⚠️ SIGNUPS_ALLOWED was set to "true" during initial setup to allow account creation, then changed to "false" after the admin account was created.

nginx Reverse Proxy (CT 101)

Config at /etc/nginx/sites-available/vault.spendlik.sk:

server {
    server_name vault.spendlik.sk;

    location / {
        proxy_pass http://192.168.1.115:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/vault.spendlik.sk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.spendlik.sk/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = vault.spendlik.sk) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name vault.spendlik.sk;
    return 404;
}

DNS & DDNS

  • A record created manually in WebSupport admin (both DNS pages) before SSL issuance
  • vault.spendlik.sk added to DDNS updater script in CT 108

Deployment Steps (for reference)

  1. Create privileged Debian 13 LXC (CT 115, IP 192.168.1.115, nesting=1)
  2. apt update && apt upgrade -y && apt install -y nano curl
  3. Install Docker: curl -fsSL https://get.docker.com | sh
  4. Create /opt/vaultwarden/docker-compose.yml with SIGNUPS_ALLOWED: "true"
  5. cd /opt/vaultwarden && docker compose up -d
  6. Create DNS A record in WebSupport (both pages)
  7. Add vault.spendlik.sk to DDNS updater in CT 108
  8. Add nginx vhost in CT 101, enable it, reload nginx
  9. Run certbot, inspect config afterwards
  10. Test from mobile data (hairpin NAT blocks LAN testing)
  11. Create admin account via web UI
  12. Install Bitwarden clients on all devices (Zen browser extension, Galaxy S25, Galaxy Tab S9)
  13. Set SIGNUPS_ALLOWED: "false" in compose file, restart container

Clients

Device Client
CachyOS (Zen browser) Bitwarden browser extension
Galaxy S25 Bitwarden Android app
Galaxy Tab S9 Bitwarden Android app

All clients point to https://vault.spendlik.sk as the custom server URL.

Notes

  • Certbot config came out clean after SSL issuance (no corruption)
  • Admin panel available at https://vault.spendlik.sk/admin — token stored in Vaultwarden
  • The "Create Account" link remains visible in the UI even with SIGNUPS_ALLOWED=false — this is by design in Vaultwarden; registration attempts are rejected server-side
  • WebSocket notifications work without separate config in this version