service/vault.md

@@ -54,24 +54,32 @@ persistent data, eg. `/srv/vaultwarden-data`.
 Then, run this command to instantiate a container with the desired
 configuration:
 
-    podman run -d --name vaultwarden -e DOMAIN=https://vault.torproject.org -e SIGNUPS_ALLOWED=false -e ROCKET_PORT=8080 -v /srv/vaultwarden-data/:/data/:Z -p 8080:8080 quay.io/vaultwarden/server:latest
+    podman run -d --name vaultwarden \
+        --label io.containers.autoupdate=registry \
+        -e DOMAIN=https://vault.torproject.org \
+        -e SIGNUPS_ALLOWED=false \
+        -e ROCKET_PORT=8080 \
+        -v /srv/vaultwarden-data/:/data/:Z \
+        -p 8080:8080 \
+        quay.io/vaultwarden/server:latest
 
 It's possible the above command fails with a networking error. In this case,
 reboot the machine to allow the required modules to load.
 
 It's recommended to generate a systemd service to start the container at
-startup:
+startup and for auto-upgrades to work:
 
-    podman generate systemd --name vaultwarden > /etc/systemd/system/container-vaultwarden.service
+    podman generate systemd --new --name vaultwarden > /etc/systemd/system/container-vaultwarden.service
     systemctl start container-vaultwarden
 
 The installation requirements are recorded in the GitLab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
 
 ## Upgrades
 
-<!-- how upgrades are performed. preferably automated through Debian -->
-<!-- packages, otherwise document how upgrades are performed. see also -->
-<!-- the Testing section below -->
+When created as above, with label `io.containers.autoupdate=registry` and the
+`--new` switch on the `podman generate systemd` command, the container will be
+auto-upgraded daily from the upstream container registry via the
+`podman-auto-update` service/timer unit pair.
 
 ## SLA