Install Vaultwarden Password Server on FreeBSD
In this guide, I explain how to install and set up Vaultwarden on FreeBSD.
What is Vaultwarden
Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust and compatible with upstream Bitwarden clients. It is perfect for self-hosted use when using the official, resource-intensive service is not ideal.
We can install it as follows:
$: pkg install vaultwarden
Then we copy the sample configuration:
$: cp /usr/local/etc/rc.conf.d/vaultwarden.sample /usr/local/etc/rc.conf.d/vaultwarden
However, before we change our Vaultwarden configuration, we need an admin token, which we can create with the following command:
$: openssl rand -base64 48
We now copy the created token and change the configuration.
Note: If we want to use the web interface, we have to set SIGNUPSALLOWED to true. Under ADMINTOKEN we paste our copied token. Furthermore, we can change our email server configuration here.
$: nano /usr/local/etc/rc.conf.d/vaultwarden =>
ROCKET_ADDRESS=127.0.0.1
export ROCKET_ADDRESS
ROCKET_PORT=4567 # your port here
export ROCKET_PORT
# ROCKET_TLS='{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
# LOG_FILE='/data/bitwarden.log'
SIGNUPS_ALLOWED='true'
export SIGNUPS_ALLOWED
DOMAIN='https://vaultwarden.domain'
export DOMAIN
ADMIN_TOKEN= # generate one with ~$ openssl rand -base64 48
export ADMIN_TOKEN
SMTP_HOST=localhost
export SMTP_HOST
SMTP_FROM=noreply@localhost
export SMTP_FROM
SMTP_PORT=25
export SMTP_PORT
SMTP_SSL=false
export SMTP_SSL
# SMTP_USERNAME=
# export SMTP_USERNAME
# SMTP_PASSWORD=
# export SMTP_PASSWORD
Now that we have changed our configuration, we can enable the Vaultwarden service and start it for the first time.
$: service vaultwarden enable
$: service vaultwarden start
$: service vaultwarden status
To be able to use the web interface, we will use Nginx as a reverse proxy. To complete this, we first create the Nginx configuration:
$: nano /usr/local/etc/nginx/vhosts/vaultwarden.conf =>
server {
listen 80;
server_name vaultwarden.domain;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:4567;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:4567;
}
}
We need another entry in our host's file:
$: nano /etc/hosts =>
127.0.0.1 vaultwarden.domain
Since it's more secure to deploy Vaultwarden over HTTPS, and we still need let's-encrypt certificates for that, we simply run the “certbot” command in our terminal and let it automatically create a certificate for our new domain.
Finally, we restart the Nginx once.
$: service nginx restart
Now we can open our freshly installed Vaultwarden service via the web browser.
Here, we can create a new user and manage our passwords securely in the future.