lerko/homelab
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6730781dd0f6c657f0e272ca566efc6f76c2fae0
homelab/setup/vaultwarden.md
T
lerko 6730781dd0 chore: initial public release
2026-04-20 20:49:48 -04:00

3.2 KiB
Raw Blame History

Vaultwarden Setup

Overview

Vaultwarden runs in the vault LXC (10.2.0.X) in VLAN 1020 (Homelab). It is isolated — no shared containers, no shared Postgres. Accessible at https://vault.lerkolabs.com via Caddy with Authentik forward auth. VPN-only access (not exposed to internet directly).

LXC Spec

Property Value
Hostname vault
IP 10.2.0.X/24 (TBD)
Gateway 10.2.0.1
DNS 10.2.0.11
Cores 1
RAM 256MB
Disk 4GB
Template debian-12-standard
Nesting

Prerequisites

  • Caddy running at 10.2.0.20
  • Pi-hole DNS record: vault.lerkolabs.com → 10.2.0.20

Installation

apt update && apt upgrade -y
apt install -y curl nano
timedatectl set-timezone <your/timezone>
curl -fsSL https://get.docker.com | sh
systemctl enable docker
mkdir -p /opt/docker/vaultwarden/data

Configuration

# /opt/docker/vaultwarden/docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - "80:80"
    volumes:
      - ./data:/data
    environment:
      - DOMAIN=https://vault.lerkolabs.com
      - SIGNUPS_ALLOWED=true    # set false after creating your account
      - WEBSOCKET_ENABLED=true
      - LOG_FILE=/data/vaultwarden.log
      - LOG_LEVEL=warn
      - ROCKET_PORT=80

cd /opt/docker/vaultwarden
docker compose up -d
docker logs -f vaultwarden

Initial Account Setup

  1. Navigate to https://vault.lerkolabs.com
  2. Create your account
  3. Set SIGNUPS_ALLOWED=false in docker-compose.yml and restart: 
    docker compose up -d

Enable Admin Panel

openssl rand -base64 48  # generate admin token

Add to environment in docker-compose.yml:

- ADMIN_TOKEN=<generated_token>

Access admin panel at: https://vault.lerkolabs.com/admin

Caddy Configuration

Add to Caddyfile on infra LXC:

vault.lerkolabs.com {
    import authentik_forward_auth
    reverse_proxy 10.2.0.X:80
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "no-referrer"
    }
}

Connecting Bitwarden Clients

In any official Bitwarden client (mobile, desktop, browser extension):

Settings → Self-hosted Environment
Server URL: https://vault.lerkolabs.com

Backup

#!/bin/bash
# /opt/backup-vaultwarden.sh
BACKUP_DIR="/opt/backups/vaultwarden"
DATE=$(date +%Y%m%d-%H%M%S)
mkdir -p "$BACKUP_DIR"

docker stop vaultwarden
tar -czf "$BACKUP_DIR/vaultwarden-$DATE.tar.gz" /opt/docker/vaultwarden/data/
docker start vaultwarden

find "$BACKUP_DIR" -name "*.tar.gz" -mtime +7 -delete

chmod +x /opt/backup-vaultwarden.sh
crontab -e
# Add: 0 2 * * * /opt/backup-vaultwarden.sh >> /var/log/vaultwarden-backup.log 2>&1

Verification

# Container running
docker ps

# Accessible via Caddy
curl -I https://vault.lerkolabs.com
# Expected: HTTP/2 200 or 302 (Authentik redirect)

# Data directory exists
ls /opt/docker/vaultwarden/data/

Updates

cd /opt/docker/vaultwarden
docker compose pull
docker compose up -d
docker image prune -f
Reference in New Issue View Git Blame Copy Permalink