But I want it so badly! All i need to figure out is:
reverse proxys (I stumbled through getting one caddy instance setup so far but gosh I struggle with that also, nginx proxy manager seems like my next step)
a rock solid backup/restore setup (but first I need to figure out where the vaultwarden alpine files live, then be able to get those off of the proxmox vm)
this is more of a vent, than a request for someone to spell it all out for me. But I wouldn’t be upset if anyone had the time to point me in the right direction for me.
Would it just be easier to run a keypass XC and syncthing setup?
You must log in or # to comment.
Vaultwarden itself is actually one of the easiest docker apps to deploy…if you already have the foundation of your home lab setup correctly.
The foundation has a steep learning curve.
Domain name, dynamic DNS update, port forwarding, reverse proxy. Not easy to get all this working perfectly but once it does you can use the same foundation to install any app. If you already had the foundation working, additional apps take only a few minutes.
Want ebooks? Calibre takes 10 mins. Want link archiving? Linkwarden takes 10 mins
And on and on
The foundation of your server makes a huge difference. Well worth getting it right at the start and then building on it.
I use this setup: https://youtu.be/liV3c9m_OX8
Local only websites that use https (Vaultwarden) and then external websites that also use https (jellyfin).
As a non-technical person at the bottom of the learning curve, I can vouch for its steepness.
Honestly these things are really vital to learn if you want to be self hosting, however if you’re unfamiliar with them I would not start with your password vault. You’re almost certainly going to make mistakes and risk losing the vault. I would learn on something less vital then once you’re feeling more comfortable add vault warden.
On the positive side, if your vaultwarden server dies, the cached vault on any/all of your devices can be logged into and export the vault.
That’s more of a general DevOps/server admin steep learning curve than Vaultwarden’s there, to be fair.
It looks a bit complicated at first as Docker isn’t a trivial abstraction, but it’s well worth it once it’s all set up and going. Each container is always the same, and always independent. Vaultwarden per-se isn’t too bad to run without a container, but the same Docker setup can be used for say, Jitsi which is an absolute mess of components to install and make work, some Java stuff, and all. But with Docker? Just
docker compose up -d, wait a minute or two and it’s good to go, just need to point your reverse proxy to it.Why do you need a reverse proxy? Because it’s a centralized location where everything comes in, and instead of having 10 different apps with their own certificates and ports, you have one proxy, one port, and a handful of certificates all managed together so you don’t have to figure out how to make all those apps play together nicely. Caddy is fine, you don’t need NGINX if you use Caddy. There’s also Traefik which lands in between Caddy and NGINX in ease of use. There’s also HAproxy. They all do the same fundamental thing: traffic comes in as HTTPS, it gets the Host header from the request and sends it to the right container as plain HTTP. Well it doesn’t have to work that way specifically but that’s the most common use case in self hosted.
As for your backups, if you used a Docker compose file, the volume data should be in the same directory. But it’s probably using some sort of database so you might want to look into how to do periodic data exports instead, as databases don’t like to be backed up live since the file is always being updated so you can’t really get a proper snapshot of it in one go.
But yeah, try to think of it as an infrastructure investment that makes deploying more apps in the future a breeze. Want to add a NextCloud? Add another docker compose file and start it, Caddy picks it up automagically and boom, it’s live and good to go!
Moving services to a new server is also pretty easy as well. Copy over your configs and composes, and volumes if applicable. Start them all, and they should all get back exactly in the same state as they were on the other box. No services to install and configure, no repos to add, no distro to maintain. All built into the container by someone else so you don’t have to worry about any of it. Each update of the app will bring with it the whole matching updated OS with the right packages in the right versions.
As a DevOps engineer we love the whole thing because I can have a Kubernetes cluster running on a whole rack and be like “here’s the apps I want you to run” and it just figures itself out, automatically balances the load, if a server goes down the containers respawn on another one and keeps going as if nothing happened. We don’t have to manually log into any of those servers to install services to run an app. More upfront work for minimal work afterwards.
Really? Have you set up services with docker before? I found it super easy compared to other systems. Curious what specifically threw you as I barely did anything except spin it up.
Nginx proxy manager made it pretty easy.
Not sure if this is a path you’d want to follow but I use it with Cloudflare tunnels.
Don’t do that, please: there’s less than no reason to make your entire password vault accessible on the public internet.
Vaultwarden is probably secure, and the vault data is probably encrypted in a way that’s not vulnerable, but I mean, why add the attack surface?
Yeah yeah, exceptions, but if you legitimately have an exception you already know it and I’d bet that the vast majority of people don’t, or would be much better served by a VPN tunnel than just rawdogging an argo tunnel.
Have nginx for all my reverse proxies, it wasn’t trivial, but I used it for a lot of other things so it’s fine.
I back it up manually to encrypted json, it’s not the right way, but I never had much of a proper backup system, other than zfs snapshots and occasionally mirroring to another zfs pool.
It’s not a lot of extra work once you have the rest of your apps running, it’s fairly low maintenance and mostly just works, but again I haven’t bothered with backups really.
Edit: Running most if not all my services on freebsd as jails, that might have made it easier.
maybe its just me, but self hosting is more about learning to run and then simplify my setup. Thats why I read the documentation for the project I want to deploy, then see if I have anything that looks similar. But as I’ve been doing self hosting for almost 20 years, plus working at a SaaS company. I have done a lot of things with a lot of different tech
All my docker stuff has a very common look to it, also I have tried a lot of stuff. See my Git repo with some examples -> https://github.com/mhzawadi/docker-stash
Just pay for BitWarden maybe? It’s cheap.
Self hosting has the advantage of keeping your encrypted vault local and under your control.
Technically, if it wasn’t for the unofficial server component, you had to pay for a subscription even if you self host
Dirt cheap actually. But still I’m setting up a self hosted version. I suppose that’s why we’re here.
“self hosted” not “cheapest”
It is literally the product OP is struggling to host and understand. Nothing wrong with saving yourself the struggle and recover time by just buying the official product.
Why not set up backups for the Proxmox VM and be done with it?
Also makes it easy to add offsite backups via the Proxmox Backup Server in the future.
https://github.com/rsmsctr/vaultwardenGuide
It doesn’t cover backups though. It uses Caddy instead of NGINX, and it uses DuckDNS to point a subdomain to your private IP address of your Vaultwarden server, so it will only be accessible in your LAN.
At least one great thing about bitwarden, the passwords are stored on each device, so you kind of already have backups. That being said backups for vaultwarden is still beneficial.
Yeah, I’m not sure whether Bitwarden always had support for exporting the vault on mobile, but it’s an awesome feature.
Easier? Yes, definitely. Maybe work on the Vaultwarden stuff in parts, instead of all in one go.
Also, if you’re using Proxmox, you might just back up your whole VM to PBS. That’s how I do it. But that takes a bit of work to set up on its own.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System Git Popular version control system, primarily for code HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network nginx Popular HTTP server
[Thread #966 for this sub, first seen 11th Sep 2024, 17:45] [FAQ] [Full list] [Contact] [Source code]
I have vaultwarden in docker but I don’t expose my instance externally as you really don’t need to. Put the bitwarden app on your phone sign into the instance and it will work even if your instance is borked. You can’t add items but it works.
My suggestion, run it in docker and just back up the entire docker compose and folder structure as that includes the database as well.
If you want to expose it use nginx proxy manager its dead simple and awesome.
So I use reverse proxies etc with my containers for others services
But KeePass with rsync is easier for passwords. I just use termux on my phone
