Vaultwarden介绍
Vaultwarden是一个使用Rust编写的可以与Bitwarden兼容的开源项目,可以用来管理各种登陆密码和身份信息等各种隐私敏感内容
尽管Bitwarden也开源,但它对服务器的要求比较高,一般需要2GB以上的内存,而Vaultwarden运行时只需要10MB内存,因此更适合私人小服务器部署
搭建
需要使用Docker部署Vaultwarden,首先确保服务器已经安装了Docker和Docker Compose,具体可以参考安装Docker和安装Docker Compose
首先新建一个用来挂载容器重要数据的目录/docker/vaultwarden/data/,然后在/docker/vaultwarden/目录下编写一个docker-compose.yml文件,写入以下内容:
services:
VaultWarden:
image: "vaultwarden/server:latest"
container_name: "vaultwarden"
restart: "unless-stopped"
volumes:
- "/docker/vaultwarden/data:/data"
ports:
- "127.0.0.1:8000:80"
environment:
- TZ=Asia/Shanghai
- ADMIN_TOKEN=YourStrongToken
- DOMAIN=YourDomain
- SIGNUPS_ALLOWED=true
- WEB_VAULT_ENABLED=true
- LOG_FILE=/data/vaultwarden.log
- SHOW_PASSWORD_HINT=false
# SMTP CONFIG
- SMTP_HOST=mail.xxx.com
- SMTP_PORT=465
- SMTP_SECURITY=force_tls
- [email protected]
- SMTP_PASSWORD=Password
- [email protected]
下面对主要的环境变量进行说明:
SIGNUPS_ALLOWED:这个变量一定要设为true,不然没有办法注册用户,如果想要自用并防止别人注册,可以在注册后关掉
ADMIN_TOKEN:这个变量非常重要,可以用来进入管理界面(/admin)修改配置,建议使用openssl rand -base64 48生成,然后使用这个密码生成PHC字符串记录在这里,另外要注意如果使用Docker Compose启动容器,那么生成的PHC字符串中的$符号需要替换为$$具体可以参考这篇官方文档
SHOW_PASSWORD_HINT:用于显示密码提示,因为默认情况下在登陆的时候会自动显示,不希望显示的话就关掉
WEB_VAULT_ENABLED:是用于启用Web端访问最后关于
SMTP部分的设置需要根据自己用的邮箱设置,具体可以参考这篇官方文档;另外需要注意,配置邮箱并不能帮你找回密码,只能给你发送设置的提示词,一旦忘记主密码就无法找回,所以主密码非常重要!切记!!!
然后,执行docker-compose up -d启动容器,此时服务已经搭建在了服务器本地,然后需要配置Nginx进行反向代理,配置如下(需要将域名和证书替换为自己的):
# 'upstream' 指令确保你有一个 http/1.1 连接
# 这里启用了 keepalive 选项并拥有更好的性能
#
# 此处定义服务器的 IP 和端口。
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8000;
keepalive 2;
}
# 要支持 websocket 连接的话才需要
# 参阅:https://nginx.org/en/docs/http/websocket.html
# 我们不发送上述链接中所说的 "close",而是发送一个空值。
# 否则所有的 keepalive 连接都将无法工作。
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# 将 HTTP 重定向到 HTTPS
server {
listen 80;
server_name YourDomain;
return 301 https://$server_name$request_uri;
}
server {
# 对于旧版本的 nginx,在 ssl 后面的 listen 行中加入 http2,并移除 'http2 on;'。
listen 443 ssl;
http2 on;
server_name YourDomain;
# 根据需要指定 SSL 配置
ssl_certificate /etc/letsencrypt/live/YourDomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YourDomain/privkey.pem;
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
client_max_body_size 525M;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
# 除了 ADMIN_TOKEN 之外,还可以选择添加额外的身份验证
# 删除下面的 '#' 注释并创建 htpasswd_file 以使其处于活动状态
#
#location /admin {
# # 参阅:https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
#}
}
然后启动Nginx后,就可以用域名访问服务,注册账户进行使用
注册完账户后,如果想禁用掉注册功能自己使用,修改docker-compose.yml文件中的SIGNUPS_ALLOWED,将值改为false,然后重新执行docker-compose up -d即可
配置和使用
按照上面部署完后可以直接通过网页打开登陆就可以自行使用,如果想修改配置可以通过docker-compose.yml中修改环境变量来实现(可以到这里查看可修改的环境变量列表),也可以直接访问https://your_domain/admin这个管理页面进行修改(但不推荐)
由于Vaultwarden兼容Bitwarden,可以使用Bitwarden官方提供的各个平台客户端来登录自己部署的Vaultwarden服务。此外,还可以使用Bitwarden浏览器插件进行网页密码填充
备份
由于密码本身是非常重要的敏感内容,为了防止服务器出现意外情况,最好对这些敏感内容做好备份
Vaultwarden中包含密码在内的所有重要文件都放在/data目录下,也就是我们挂在到宿主机中的目录,因此只需要将这个目录定时备份即可
这里仅介绍目前自己用的方案,也就是使用rclone将打包好的数据定时上传到我自己的一台Nextcloud网盘中,有关rclone的安装方法可以参考这里,使用方法也可以参考官方文档,安装好后先配置好自己的云端硬盘
$ rclone config
2023/12/31 19:28:56 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
No remotes found, make a new one?
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n
Enter name for new remote.
name> nextcloud
Option Storage.
Type of storage to configure.
Choose a number from below, or type in your own value.
1 / 1Fichier
\ (fichier)
2 / Akamai NetStorage
\ (netstorage)
3 / Alias for an existing remote
\ (alias)
4 / Amazon Drive
\ (amazon cloud drive)
5 / Amazon S3 Compliant Storage Providers including AWS, Alibaba, ArvanCloud, Ceph, ChinaMobile, Cloudflare, DigitalOcean, Dreamhost, GCS, HuaweiOBS, IBMCOS, IDrive, IONOS, LyveCloud, Leviia, Liara, Linode, Minio, Netease, Petabox, RackCorp, Rclone, Scaleway, SeaweedFS, StackPath, Storj, Synology, TencentCOS, Wasabi, Qiniu and others
\ (s3)
6 / Backblaze B2
\ (b2)
7 / Better checksums for other remotes
\ (hasher)
8 / Box
\ (box)
9 / Cache a remote
\ (cache)
10 / Citrix Sharefile
\ (sharefile)
11 / Combine several remotes into one
\ (combine)
12 / Compress a remote
\ (compress)
13 / Dropbox
\ (dropbox)
14 / Encrypt/Decrypt a remote
\ (crypt)
15 / Enterprise File Fabric
\ (filefabric)
16 / FTP
\ (ftp)
17 / Google Cloud Storage (this is not Google Drive)
\ (google cloud storage)
18 / Google Drive
\ (drive)
19 / Google Photos
\ (google photos)
20 / HTTP
\ (http)
21 / Hadoop distributed file system
\ (hdfs)
22 / HiDrive
\ (hidrive)
23 / ImageKit.io
\ (imagekit)
24 / In memory object storage system.
\ (memory)
25 / Internet Archive
\ (internetarchive)
26 / Jottacloud
\ (jottacloud)
27 / Koofr, Digi Storage and other Koofr-compatible storage providers
\ (koofr)
28 / Linkbox
\ (linkbox)
29 / Local Disk
\ (local)
30 / Mail.ru Cloud
\ (mailru)
31 / Mega
\ (mega)
32 / Microsoft Azure Blob Storage
\ (azureblob)
33 / Microsoft Azure Files
\ (azurefiles)
34 / Microsoft OneDrive
\ (onedrive)
35 / OpenDrive
\ (opendrive)
36 / OpenStack Swift (Rackspace Cloud Files, Blomp Cloud Storage, Memset Memstore, OVH)
\ (swift)
37 / Oracle Cloud Infrastructure Object Storage
\ (oracleobjectstorage)
38 / Pcloud
\ (pcloud)
39 / PikPak
\ (pikpak)
40 / Proton Drive
\ (protondrive)
41 / Put.io
\ (putio)
42 / QingCloud Object Storage
\ (qingstor)
43 / Quatrix by Maytech
\ (quatrix)
44 / SMB / CIFS
\ (smb)
45 / SSH/SFTP
\ (sftp)
46 / Sia Decentralized Cloud
\ (sia)
47 / Storj Decentralized Cloud Storage
\ (storj)
48 / Sugarsync
\ (sugarsync)
49 / Transparently chunk/split large files
\ (chunker)
50 / Union merges the contents of several upstream fs
\ (union)
51 / Uptobox
\ (uptobox)
52 / WebDAV
\ (webdav)
53 / Yandex Disk
\ (yandex)
54 / Zoho
\ (zoho)
55 / premiumize.me
\ (premiumizeme)
56 / seafile
\ (seafile)
Storage> 52
Option url.
URL of http host to connect to.
E.g. https://example.com.
Enter a value.
url> https://you_domain/remote.php/dav/files/user_name
Option vendor.
Name of the WebDAV site/service/software you are using.
Choose a number from below, or type in your own value.
Press Enter to leave empty.
1 / Fastmail Files
\ (fastmail)
2 / Nextcloud
\ (nextcloud)
3 / Owncloud
\ (owncloud)
4 / Sharepoint Online, authenticated by Microsoft account
\ (sharepoint)
5 / Sharepoint with NTLM authentication, usually self-hosted or on-premises
\ (sharepoint-ntlm)
6 / rclone WebDAV server to serve a remote over HTTP via the WebDAV protocol
\ (rclone)
7 / Other site/service or software
\ (other)
vendor> 2
Option user.
User name.
In case NTLM authentication is used, the username should be in the format 'Domain\User'.
Enter a value. Press Enter to leave empty.
user> user_name
Option pass.
Password.
Choose an alternative below. Press Enter for the default (n).
y) Yes, type in my own password
g) Generate random password
n) No, leave this optional password blank (default)
y/g/n> y
Enter the password:
password:
Confirm the password:
password:
Option bearer_token.
Bearer token instead of user/pass (e.g. a Macaroon).
Enter a value. Press Enter to leave empty.
bearer_token>
Edit advanced config?
y) Yes
n) No (default)
y/n>
Configuration complete.
Options:
- type: webdav
- url: https://your_domain/remote.php/dav/files/user_name
- vendor: nextcloud
- user: user_name
- pass: *** ENCRYPTED ***
Keep this "nextcloud" remote?
y) Yes this is OK (default)
e) Edit this remote
d) Delete this remote
y/e/d>
Current remotes:
Name Type
==== ====
nextcloud webdav
e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> q
配置好后可以测试一下是否能够连通:
rclone lsd nextcloud: # 列出根路径下的所有目录,其中nextcloud是我在rclone config的时候给我自己的Nextcloud起的名字
测试成功后我们可以写一个vaultwarden_backup.sh脚本来进行备份(本脚本做了两份备份):
#!/bin/bash
SOURCE_DIR="/docker/vaultwarden/data/"
DEST_DIR1="nextcloud1:/dav/Local Storage/Backups/Vaultwarden/"
DEST_DIR2="nextcloud2:/dav/Local Storage/Backups/Vaultwarden/"
CURRENT_DATE=$(date +"%Y-%m-%d")
tar -zcf "/tmp/Vaultwarden_data_$CURRENT_DATE.tar.gz" "$SOURCE_DIR"
rclone copy "/tmp/Vaultwarden_data_$CURRENT_DATE.tar.gz" "$DEST_DIR1"
rclone copy "/tmp/Vaultwarden_data_$CURRENT_DATE.tar.gz" "$DEST_DIR2"
rm "/tmp/Vaultwarden_data_$CURRENT_DATE.tar.gz"
# 只保留最近的两个备份
rclone lsf --format tp --separator " " "$DEST_DIR1" | sort -rk1 | awk 'NR>2 {print $NF}' | while read -r file; do
rclone deletefile "$DEST_DIR1/${file}"
done
rclone lsf --format tp --separator " " "$DEST_DIR2" | sort -rk1 | awk 'NR>2 {print $NF}' | while read -r file; do
rclone deletefile "$DEST_DIR2/${file}"
done
然后设置每天0点定时执行这个程序,执行crontab -e,然后在最下面添加下面一行内容:
0 0 * * * /root/vaultwarden_backup.sh > /root/vaultwarden_backup.log 2>&1
保存后,定时备份就设置好了
除上述方法外,也可以部署Syncthing进行同步,具体参考这篇文章