Установка Vaultwarden и PostgreSQL в Debian 12 (не Docker)
Vaultwarden - это альтернативная реализация сервера Bitwarden, написанная на языке Rust и совместимая с официальными клиентами Bitwarden. Это означает, что Vaultwarden может быть использован как альтернатива официальному серверу Bitwarden для самостоятельного развертывания на собственной инфраструктуре.
Подготовка
Обновляемся, устанавливаем необходимые пакеты
1
2
3
4
$ sudo apt update
$ sudo apt -y upgrade
$ sudo apt -y install git nano curl wget htop pkg-config openssl libssl3 libssl-dev
$ sudo apt -y install build-essential
Создаем пользователя vaultwarden
1
2
$ sudo useradd -m -U -r -d /opt/vaultwarden -s /bin/bash vaultwarden
$ sudo chmod 750 /opt/vaultwarden
Установка Rust
Переключаемся на пользователя vaultwarden
и устанавливаем Rust
1
2
3
$ sudo su - vaultwarden
$ curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh
1) Proceed with installation (default)
Загружаем переменные
1
2
$ source ~/.profile
$ source ~/.cargo/env
Смотрим версию Rust
1
2
$ rustc -V
rustc 1.75.0 (82e1608df 2023-12-21)
Установка Node JS
Переключаемся на пользователя с правами sudo
и устанавливаем NodeJS
1
2
3
4
5
6
7
8
$ exit
$ sudo apt update && sudo apt -y install ca-certificates curl gnupg
$ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
$ NODE_MAJOR=20
$ echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list
$ sudo apt update && sudo apt -y install nodejs
$ which npm
/usr/bin/npm
Установка PostgreSQL 16 из репозитория
Добавляем репозиторий, устанавливаем PostgreSQL
1
2
3
4
5
$ sudo apt -y install gnupg2
$ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
$ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
$ sudo apt update
$ sudo apt -y install postgresql-16 postgresql-contrib-16 libpq-dev
Создаем пользователя и базу в PostgreSQL
1
2
3
4
5
6
7
8
$ sudo su - postgres
$ psql
=# CREATE ROLE "vaultuser" WITH LOGIN PASSWORD 'vaultpasswd';
=# CREATE DATABASE "vaultdb" OWNER "vaultuser";
=# GRANT ALL PRIVILEGES ON DATABASE "vaultdb" TO "vaultuser";
=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "vaultuser";
=# \q
$ exit
Редактируем конфиг pg_hba.conf
1
2
3
4
5
6
7
8
9
$ sudo nano /etc/postgresql/16/main/pg_hba.conf
...
# IPv4 local connections:
#host all all 127.0.0.1/32 scram-sha-256
host all all 127.0.0.1/32 md5
# IPv6 local connections:
#host all all ::1/128 scram-sha-256
host all all ::1/128 md5
...
Перезапускаем PostgreSQL
1
$ sudo systemctl restart [email protected]
Установка Vaultwarden
Переключаемся на пользователя vaultwarden
, скачиваем дистрибутив, распаковываем, компилируем
1
2
3
4
5
$ sudo su - vaultwarden
$ wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.30.1.tar.gz
$ tar xzvf 1.30.1.tar.gz
$ cd vaultwarden-1.30.1
$ cargo clean && cargo build --features postgresql --release
Переходим в домашний каталог, скачиваем архив с web-интерфейсом и распаковываем его
1
2
3
$ cd ~
$ wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2024.1.2/bw_web_v2024.1.2.tar.gz
$ tar xzvf bw_web_v2024.1.2.tar.gz
Создаем каталог для данных
1
2
$ cd
$ mkdir data
Создаем пароль админа
1
2
3
$ ./vaultwarden hash
Password: superpassword
ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$IuiwAIECsdfsdfsdfsdfgum5TlQFdo$8NDBu0jFXpKdP9XOGcn446CWMUQJeKUPU4OBStjAr18'
Редактируем конфиг
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ nano /opt/vaultwarden/vaultwarden-1.30.1/target/release/.env
DATA_FOLDER=/opt/vaultwarden/data
DATABASE_URL='postgresql://vaultuser:vaultpasswd@localhost:5432/vaultdb'
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
ROCKET_ENV=staging
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$IuiwAIECa99J6xElrtyrtyrtyrtyQFdo$8NDBu0jFXpKdP9XOGcn446CWMUQJeKUPU4OBStjAr18'
DISABLE_ADMIN_TOKEN=false
INVITATIONS_ALLOWED=true
DOMAIN=https://vault.itdraft.ru
#LOG_FILE=/var/log/vaultwarden.log
USE_SYSLOG=true
LOG_LEVEL=info
ENABLE_DB_WAL=true
DB_CONNECTION_RETRIES=15
ICON_CACHE_TTL=86400
DISABLE_ICON_DOWNLOAD=true
ICON_DOWNLOAD_TIMEOUT=10
ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
SIGNUPS_ALLOWED=false
SIGNUPS_VERIFY=false
SIGNUPS_DOMAINS_WHITELIST=itdraft.ru,yandex.ru
#SMTP_HOST=
#SMTP_FROM=
#SMTP_FROM_NAME=
#SMTP_PORT=587
#SMTP_SSL=true
#SMTP_USERNAME=
#SMTP_PASSWORD=
#SMTP_TIMEOUT=
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=127.0.0.1
WEBSOCKET_PORT=3658
IP_HEADER=X-Real-IP
ORG_CREATION_USERS=[email protected]
TRASH_AUTO_DELETE_DAYS=7
ADMIN_SESSION_LIFETIME=20
SHOW_PASSWORD_HINT=false
#https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
Создаем симлинк
1
2
$ cd ~
$ ln -s vaultwarden-1.30.1 vaultwarden-latest
Systemd Unit
Переключаемся на пользователя с правами sudo
и создаем Systemd Unit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
$ exit
$ sudo nano /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden/
# If you use a database like mariadb,mysql or postgresql,
# you have to add them like the following and uncomment them
# by removing the `# ` before it. This makes sure that your
# database server is started before bitwarden_rs ("After") and has
# started successfully before starting bitwarden_rs ("Requires").
# Only sqlite
#After=network.target
# PostgreSQL
After=network.target [email protected]
Requires=[email protected]
# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service
# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=-/opt/vaultwarden/vaultwarden-latest/target/release/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden-latest/target/release/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=stric
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden-latest/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden-latest/target/release/
# Allow bitwarden_rs to bind ports in the range of 0-1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Перечитываем Юниты, запускаем сервис Vaultwaurden и добавляем его в автозагрузку
1
2
3
$ sudo systemctl daemon-reload
$ sudo systemctl start vaultwarden.service
$ sudo systemctl enable vaultwarden.service
Установка и настройка Nginx
Добравляем репозиторий Nginx
1
2
3
4
5
$ wget --quiet -O - https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
$ sudo nano /etc/apt/sources.list.d/nginx.list
# NGINX repo
deb https://nginx.org/packages/mainline/debian/ bookworm nginx
deb-src https://nginx.org/packages/mainline/debian bookworm nginx
Устанавливаем Nginx
1
2
$ sudo apt update
$ sudo apt -y install nginx
Создаем конфиг для Vaultwarden
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled
$ sudo nano /etc/nginx/conf.d/vaultwarden.conf
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:4756;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
server {
listen 80;
listen [::]:80;
listen 443 ssl;
server_name vault.itdraft.ru;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
error_log /var/log/nginx/vaultwarden_error.log;
access_log /var/log/nginx/vaultwarden_access.log;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
}
Перезагружаем Nginx
1
$ sudo systemctl restart nginx
Настройка LDAP авторизации
Переключаемся на пользователя vaultwarden
, скачиваем дистрибутив и компилируем его
1
2
3
4
5
$ sudo su - vaultwarden
$ wget https://github.com/ViViDboarder/vaultwarden_ldap/archive/refs/tags/v0.6.2.tar.gz
$ tar xzf v0.6.2.tar.gz
$ cd vaultwarden_ldap-0.6.2/
$ cargo build --locked --release
Создаем конфиг config.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
$ cd /opt/vaultwarden/vaultwarden_ldap-0.6.2/
$ cp example.config.toml target/release/config.toml
$ nano target/release/config.toml
vaultwarden_url = "https://vault.itdraft.ru"
vaultwarden_admin_token = "superpasswd"
ldap_host = "ldap.itdraft.ru"
#ldap_scheme = "ldap"
ldap_bind_dn = "cn=vaultwarden_s,ou=ServiceAccounts,dc=itdraft,dc=ru"
ldap_bind_password = "mypasswd"
ldap_search_base_dn = "ou=Users,dc=itdraft,dc=ru"
ldap_search_filter = "(&(objectClass=user)(|(memberOf=cn=staff.01,ou=Groups,dc=itdraft,dc=ru)))"
ldap_sync_interval_seconds = 3600
Создаем симлинк
1
2
$ cd ~
$ ln -s vaultwarden_ldap-0.6.2 vaultwarden_ldap-latest
Переключаемся на пользователя с правами sudo
и создаем Systemd Unit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ exit
$ sudo nano /etc/systemd/system/vaultwarden-ldap.service
[Unit]
Description=Bitwarden LDAP (Rust Edition)
Documentation=https://github.com/ViViDboarder/vaultwarden_ldap
After=network.target [email protected]
Requires=vaultwarden.service
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden_ldap-latest/target/release/config.toml
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden_ldap-latest/target/release/vaultwarden_ldap
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden_ldap-latest/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden_ldap-latest/target/release/
[Install]
WantedBy=multi-user.target
Перечитываем Юниты, запускаем сервис Vaultwaurden LDAP и добавляем его в автозагрузку
1
2
3
4
$ sudo systemctl daemon-reload
$ sudo systemctl start vaultwarden-ldap
$ sudo systemctl status vaultwarden-ldap
$ sudo systemctl enable vaultwarden-ldap
UPD. Обновление 1.30.1 > 1.30.2
1
2
3
4
5
6
7
8
9
10
11
$ sudo su - vaultwarden
$ wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.30.2.tar.gz
$ tar xzf 1.30.2.tar.gz
$ cd vaultwarden-1.30.2
$ cargo clean && cargo build --features postgresql --release
$ cd ../
$ cp vaultwarden-1.30.1/target/release/.env vaultwarden-1.30.2/target/release/.env
$ ln -s vaultwarden-1.30.2 vaultwarden-latest
$ exit
$ sudo systemctl restart vaultwarden.service
$ sudo systemctl status vaultwarden.service