193 lines
5.1 KiB
Markdown
193 lines
5.1 KiB
Markdown
🛠️ Kapitel 6 – Vaultwarden (ohne Docker, systemd) – Tutorial
|
||
Ein Weg, ohne Alternativen. Niveau: wie Readme dieses Kapitels.
|
||
|
||
——————————
|
||
Ziel
|
||
Vaultwarden als native Binary im Debian‑12‑LXC per systemd betreiben und hinter dem Nginx Proxy Manager veröffentlichen (HTTPS + WebSockets). Öffentliche Registrierung aus, Admin‑Token gesetzt, optional SMTP, Basis‑Backup.
|
||
|
||
Voraussetzungen
|
||
|
||
* LXC: Debian 12 (Bookworm), root
|
||
* NPM in separatem LXC vorhanden (Domain + Let’s Encrypt)
|
||
* LXC‑IP von Vaultwarden: \<VW\_IP> (z. B. 10.0.0.16)
|
||
|
||
Kerneinstellungen (fix)
|
||
|
||
* **ROCKET\_ADDRESS = \<VW\_IP>** (weil NPM in separatem LXC läuft)
|
||
* **ROCKET\_PORT = 8000**
|
||
* **WEBSOCKET\_ADDRESS = \<VW\_IP>**, **WEBSOCKET\_PORT = 3012**
|
||
* **DOMAIN = [https://pass.DEINE‑DOMAIN.tld](https://pass.DEINE‑DOMAIN.tld)**
|
||
* **ADMIN\_TOKEN =** sicher, ≥ 64 Zeichen
|
||
* **SIGNUPS\_ALLOWED = false**
|
||
|
||
——————————
|
||
|
||
1. System vorbereiten
|
||
|
||
```bash
|
||
apt update && apt upgrade -y
|
||
apt install -y ca-certificates curl unzip openssl
|
||
# Systemnutzer ohne Login
|
||
useradd --system --home /var/lib/vaultwarden --shell /usr/sbin/nologin vaultwarden || true
|
||
|
||
# Verzeichnisse
|
||
mkdir -p /opt/vaultwarden
|
||
mkdir -p /var/lib/vaultwarden/data
|
||
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
|
||
```
|
||
|
||
Prüfen:
|
||
|
||
```bash
|
||
id vaultwarden
|
||
ls -ld /opt/vaultwarden /var/lib/vaultwarden /var/lib/vaultwarden/data
|
||
```
|
||
|
||
2. Binary laden und installieren
|
||
|
||
> Wir laden immer die **neueste** „x86\_64‑unknown‑linux‑gnu“‑Release von GitHub.
|
||
|
||
```bash
|
||
VW_URL=$(curl -s https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest \
|
||
| grep browser_download_url \
|
||
| grep x86_64-unknown-linux-gnu.tar.gz \
|
||
| cut -d '"' -f 4)
|
||
|
||
curl -L "$VW_URL" -o /tmp/vaultwarden.tar.gz
|
||
mkdir -p /tmp/vw && tar -xzf /tmp/vaultwarden.tar.gz -C /tmp/vw
|
||
install -m 0755 /tmp/vw/vaultwarden /opt/vaultwarden/vaultwarden
|
||
```
|
||
|
||
Prüfen:
|
||
|
||
```bash
|
||
/opt/vaultwarden/vaultwarden --version || true
|
||
```
|
||
|
||
3. Konfiguration anlegen
|
||
|
||
```bash
|
||
cat >/etc/vaultwarden.env <<'EOF'
|
||
DOMAIN=https://pass.DEINE-DOMAIN.tld
|
||
ADMIN_TOKEN=$(openssl rand -base64 48)
|
||
SIGNUPS_ALLOWED=false
|
||
WEBSOCKET_ENABLED=true
|
||
ROCKET_ADDRESS=<VW_IP>
|
||
ROCKET_PORT=8000
|
||
WEBSOCKET_ADDRESS=<VW_IP>
|
||
WEBSOCKET_PORT=3012
|
||
# Optional SMTP
|
||
# SMTP_HOST=smtp.example.com
|
||
# SMTP_FROM=pass@example.com
|
||
# SMTP_PORT=587
|
||
# SMTP_SECURITY=starttls
|
||
# SMTP_USERNAME=user
|
||
# SMTP_PASSWORD=deinPasswort
|
||
EOF
|
||
|
||
chown root:vaultwarden /etc/vaultwarden.env
|
||
chmod 0640 /etc/vaultwarden.env
|
||
```
|
||
|
||
Prüfen:
|
||
|
||
```bash
|
||
grep -E '^(DOMAIN|ROCKET_ADDRESS|WEBSOCKET_ADDRESS)=' /etc/vaultwarden.env
|
||
```
|
||
|
||
4. systemd‑Service erstellen
|
||
|
||
```bash
|
||
cat >/etc/systemd/system/vaultwarden.service <<'EOF'
|
||
[Unit]
|
||
Description=Vaultwarden (Bitwarden-compatible) – native
|
||
After=network.target
|
||
|
||
[Service]
|
||
User=vaultwarden
|
||
Group=vaultwarden
|
||
EnvironmentFile=/etc/vaultwarden.env
|
||
ExecStart=/opt/vaultwarden/vaultwarden
|
||
WorkingDirectory=/var/lib/vaultwarden
|
||
# Hardening (schlank & sicher)
|
||
LimitNOFILE=1048576
|
||
PrivateTmp=true
|
||
ProtectSystem=full
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
|
||
systemctl daemon-reload
|
||
systemctl enable --now vaultwarden
|
||
systemctl status vaultwarden --no-pager
|
||
```
|
||
|
||
Prüfen (sollte „active (running)“ sein):
|
||
|
||
```bash
|
||
ss -tulpn | grep -E ':8000|:3012'
|
||
```
|
||
|
||
5. NPM: Proxy‑Host + WebSockets + SSL
|
||
|
||
* **Hosts → Proxy Hosts → Add Proxy Host**
|
||
|
||
* Domain Names: `pass.DEINE-DOMAIN.tld`
|
||
* Scheme: http
|
||
* Forward Hostname / IP: **\<VW\_IP>**
|
||
* Forward Port: **8000**
|
||
* Block Common Exploits: an
|
||
* Websockets Support: an
|
||
* **Custom Locations → Add Location**
|
||
|
||
* Location: **/notifications/hub**
|
||
* Forward Hostname / IP: **\<VW\_IP>**
|
||
* Forward Port: **3012**
|
||
* Websockets Support: an
|
||
* **SSL**
|
||
|
||
* Request a new SSL Certificate (Let’s Encrypt)
|
||
* Force SSL, HTTP/2, HSTS: an
|
||
|
||
Prüfen:
|
||
|
||
* `https://pass.DEINE-DOMAIN.tld` öffnet die Login‑Seite.
|
||
* WebSocket: Eintrag von einem zweiten Client ändern → Live‑Sync sichtbar.
|
||
|
||
6. Erstkonfiguration (Web‑UI)
|
||
|
||
* Admin‑Backend: `https://pass.DEINE-DOMAIN.tld/admin` → **ADMIN\_TOKEN** eingeben.
|
||
* **Signups**: „Signups allowed“ **aus**.
|
||
* Optional **SMTP** eintragen (Testmail senden).
|
||
* Erstes Benutzerkonto anlegen und **2FA (TOTP/FIDO2)** aktivieren.
|
||
|
||
7. Backup (Basis)
|
||
|
||
```bash
|
||
# Kurzvariante (läuft online); für 100% Konsistenz ggf. Dienst kurz stoppen
|
||
# systemctl stop vaultwarden
|
||
|
||
tar -czf /root/vaultwarden-backup-$(date +%F).tar.gz -C /var/lib vaultwarden
|
||
|
||
# systemctl start vaultwarden
|
||
ls -lh /root/vaultwarden-backup-*.tar.gz
|
||
```
|
||
|
||
Cron‑Hinweis: Regelmäßig sichern; Restore testweise separat prüfen.
|
||
|
||
——————————
|
||
Stolperfallen
|
||
|
||
* **ROCKET\_/WEBSOCKET\_ADDRESS falsch** → NPM erreicht den Dienst nicht.
|
||
* **WebSockets nicht weitergeleitet** → Live‑Sync/Push funktioniert nicht.
|
||
* **DOMAIN nicht https** → fehlerhafte Links/Icons.
|
||
* **ADMIN\_TOKEN zu kurz/unsicher** → Risiko fürs Admin‑Backend.
|
||
* **Signups offen** → ungewollte Accounts.
|
||
|
||
Ergebnis
|
||
|
||
* Vaultwarden läuft nativ im LXC, ist über `https://pass.DEINE-DOMAIN.tld` erreichbar, WebSockets funktionieren, Registrierungen sind aus, Admin‑Backend ist geschützt; Backups vorhanden.
|