Changes

anarcat · fc22c473
--- a/service/vault.md
+++ b/service/vault.md
@@ -59,11 +59,81 @@ To set it up, deploy the `profile::vaultwarden` Puppet profile. This will:
  `/srv/vault.torproject.org/data`
 - deploy a cron job to create a database backup

-The installation requirements are recorded in the GitLab ticket:
-https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
+The installation requirements are recorded in the GitLab ticket
+[tpo/tpa/team#41541](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541).

 [Podman]: https://podman.io/

+### Manual
+
+This procedure documents a manual installation performed in a lab, for
+testing purposes. It was also done manually because the environment is
+different than production (Apache vs Nginx, Docker vs Podman).
+
+ 1. create system user
+ 
+        addgroup --system vaultwarden
+        adduser --system vaultwarden
+
+ 2. create a Docker compose file, note how the `user` is numeric
+    below, it needs to match the UID and GID created above:
+
+```
+version: '3'
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: always
+    environment:
+      DOMAIN: "https://vault.anarc.at"
+      SIGNUPS_ALLOWED: "false"
+      ROCKET_ADDRESS: "127.0.0.1"
+      ROCKET_PORT: 8086
+      IP_HEADER: "X-Forwarded-For"
+      SMTP_PORT: 25
+      SMTP_HOST: "localhost"
+      SMTP_FROM: "vault@anarc.at"
+      HELO_NAME: "vault.anarc.at"
+      SMTP_SECURITY: "off"
+    env_file: "admin-token.env"
+    volumes:
+      - data:/data:Z
+    restart: unless-stopped
+    network_mode: host
+    user: 108:127
+volumes:
+  data:
+```
+
+ 3. create the secrets file:
+
+        # generate a strong secret and store it in your password manager
+        tr -dc '[:alnum:]' < /dev/urandom | head -c  40
+        docker run --rm -it  vaultwarden/server /vaultwarden hash
+    
+    copy-paste the `ADMIN_TOKEN` line in the `/etc/docker/admin-token.env` file.
+
+ 4. start the container, which will fail on a permission issue:
+ 
+        docker-compose up
+
+ 5. fix perms:
+ 
+        chown vaultwarden:vaultwarden /var/lib/docker/volumes/vaultwarden_data/_data
+
+ 6. start the container properly
+
+        docker-compose up
+
+ 7. setup DNS, webserver and TLS, see their [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)
+
+ 8. setup backups, upgrades, fail2ban, etc
+
+Assuming you setup the service on the domain `vault.example.com`, head
+towards `https://vault.example.com/admin` to access the admin
+interface.
+
 ## Upgrades

 Because the cintainer is started with label `io.containers.autoupdate=registry`