Loading service/vault.md +72 −2 Original line number Diff line number Diff line Loading @@ -59,11 +59,81 @@ To set it up, deploy the `profile::vaultwarden` Puppet profile. This will: `/srv/vault.torproject.org/data` - deploy a cron job to create a database backup The installation requirements are recorded in the GitLab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541 The installation requirements are recorded in the GitLab ticket [tpo/tpa/team#41541](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541). [Podman]: https://podman.io/ ### Manual This procedure documents a manual installation performed in a lab, for testing purposes. It was also done manually because the environment is different than production (Apache vs Nginx, Docker vs Podman). 1. create system user addgroup --system vaultwarden adduser --system vaultwarden 2. create a Docker compose file, note how the `user` is numeric below, it needs to match the UID and GID created above: ``` version: '3' services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: always environment: DOMAIN: "https://vault.anarc.at" SIGNUPS_ALLOWED: "false" ROCKET_ADDRESS: "127.0.0.1" ROCKET_PORT: 8086 IP_HEADER: "X-Forwarded-For" SMTP_PORT: 25 SMTP_HOST: "localhost" SMTP_FROM: "vault@anarc.at" HELO_NAME: "vault.anarc.at" SMTP_SECURITY: "off" env_file: "admin-token.env" volumes: - data:/data:Z restart: unless-stopped network_mode: host user: 108:127 volumes: data: ``` 3. create the secrets file: # generate a strong secret and store it in your password manager tr -dc '[:alnum:]' < /dev/urandom | head -c 40 docker run --rm -it vaultwarden/server /vaultwarden hash copy-paste the `ADMIN_TOKEN` line in the `/etc/docker/admin-token.env` file. 4. start the container, which will fail on a permission issue: docker-compose up 5. fix perms: chown vaultwarden:vaultwarden /var/lib/docker/volumes/vaultwarden_data/_data 6. start the container properly docker-compose up 7. setup DNS, webserver and TLS, see their [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples) 8. setup backups, upgrades, fail2ban, etc Assuming you setup the service on the domain `vault.example.com`, head towards `https://vault.example.com/admin` to access the admin interface. ## Upgrades Because the cintainer is started with label `io.containers.autoupdate=registry` Loading Loading
service/vault.md +72 −2 Original line number Diff line number Diff line Loading @@ -59,11 +59,81 @@ To set it up, deploy the `profile::vaultwarden` Puppet profile. This will: `/srv/vault.torproject.org/data` - deploy a cron job to create a database backup The installation requirements are recorded in the GitLab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541 The installation requirements are recorded in the GitLab ticket [tpo/tpa/team#41541](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541). [Podman]: https://podman.io/ ### Manual This procedure documents a manual installation performed in a lab, for testing purposes. It was also done manually because the environment is different than production (Apache vs Nginx, Docker vs Podman). 1. create system user addgroup --system vaultwarden adduser --system vaultwarden 2. create a Docker compose file, note how the `user` is numeric below, it needs to match the UID and GID created above: ``` version: '3' services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: always environment: DOMAIN: "https://vault.anarc.at" SIGNUPS_ALLOWED: "false" ROCKET_ADDRESS: "127.0.0.1" ROCKET_PORT: 8086 IP_HEADER: "X-Forwarded-For" SMTP_PORT: 25 SMTP_HOST: "localhost" SMTP_FROM: "vault@anarc.at" HELO_NAME: "vault.anarc.at" SMTP_SECURITY: "off" env_file: "admin-token.env" volumes: - data:/data:Z restart: unless-stopped network_mode: host user: 108:127 volumes: data: ``` 3. create the secrets file: # generate a strong secret and store it in your password manager tr -dc '[:alnum:]' < /dev/urandom | head -c 40 docker run --rm -it vaultwarden/server /vaultwarden hash copy-paste the `ADMIN_TOKEN` line in the `/etc/docker/admin-token.env` file. 4. start the container, which will fail on a permission issue: docker-compose up 5. fix perms: chown vaultwarden:vaultwarden /var/lib/docker/volumes/vaultwarden_data/_data 6. start the container properly docker-compose up 7. setup DNS, webserver and TLS, see their [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples) 8. setup backups, upgrades, fail2ban, etc Assuming you setup the service on the domain `vault.example.com`, head towards `https://vault.example.com/admin` to access the admin interface. ## Upgrades Because the cintainer is started with label `io.containers.autoupdate=registry` Loading
