Deploy Your Own Password Manager
I have tried many password mangers like Google Chrome built-in, iCloud Keychain, LastPass, 1Password. Each of them has different advantages in different environments. For example, iCloud Keychain works perfectly in all Apple Device. 1Password is such thoughtful product. However, each product has little defect like cross-platform problem or price That may be my defect ;-).
I found many Open Source alternatives which can be hosted and controlled by myself. The most important thing is most of them can cover all my platforms. I picked up Bitwarden as my password manager solution. And I tried to deploy it on my Oracle Always Free server.
It is quite easy if you choose to host it with docker.
Install Docker
You can basically follow the offical installation tutorials.
Maybe you will get an error when you are testing your docker
Got permission denied … /var/run/docker.sock: connect: permission denied
This is about your docker daemon’s permission. There are many solutions for this. Choose one that suit yourself!
You shold also install docker-compose
Make Some Preparations
We need some configuration files for Bitwarden.
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42version: '3'
services:
db:
image: postgres:latest
container_name: postgres_db
user: 1001:1001 # change this to fit your UID/GID
restart: always
environment:
- POSTGRES_USER=vaultwarden
- POSTGRES_PASSWORD=vaultwardenpgadmin
volumes:
- ./db-data:/var/lib/postgresql/data
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- DATABASE_URL=postgresql://vaultwarden:vaultwardenpgadmin@db:5432/vaultwarden
- WEBSOCKET_ENABLED=true # Enable WebSocket notifications.
- LOG_FILE=/data/vaultwarden.log
- SIGNUPS_ALLOWED=true
- INVITATIONS_ALLOWED=false
volumes:
- ./vw-data:/data
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 80:80 # Needed for the ACME HTTP-01 challenge.
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment:
- DOMAIN= # Your domain, prefixed with http or https.
- EMAIL= # The email address to use for ACME registration.
- LOG_FILE=/data/access.logCaddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29{$DOMAIN}:443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
tls {$EMAIL}
#tls FILE.pem FILE.key.pem
# This setting may have compatibility issues with some browsers
# (e.g., attachment downloading on Firefox). Try disabling this
# if you encounter issues.
encode gzip
# Notifications redirected to the WebSocket server
reverse_proxy /notifications/hub vaultwarden:3012
# Proxy everything else to Rocket
reverse_proxy vaultwarden:80 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
}If you don’t want Caddy server automatically get a SSL certificate, change that tls.