Deploy Vaultwarden Password Manager to Dokku Micro PaaS
Reading time: 6 minutes
Having an easy to use password manager using an existing Dokku setup is a great way to keep your passwords secure. In this post, I will show you how to deploy Vaultwarden Password Manager to Dokku Micro PaaS using a Dockerfile. Including DB setup, SSL and backup.
Prerequisites
If you have Dokku already set up, you will already have git and ssh installed on your machine to deploy to your Dokku instance. You don’t need to have Docker installed or running on your local machine.
Having a separate domain for your password manager is recommended. You can use a
subdomain for this. In this tutorial, I will use vaultwarden.example.com.
Select the Database
Vaultwarden supports SQLite, MariaDB, MySQL, and PostgreSQL. You can choose the database that you are most comfortable with. For personal use combined with Dokku, SQLite is a good choice. It makes your setup easier and you don’t need to worry about extra database backups. This will be done together with the persistent storage required for attachments.
Create a new Dokku app
First, you need to create a new Dokku app on your Dokku instance. Login to your Dokku instance and run the following command:
dokku apps:create vaultwarden
dokku domains:set vaultwarden vaultwarden.example.com
Note: Replace vaultwarden.example.com with your domain. We will do the SSL
setup later in this tutorial as it won’t work without a running app.
Setup Port Forwarding to Docker Container
Vaultwarden uses port 80 by default. You need to forward the port from the host to the Docker container. Run the following command in your Dokku machine:
dokku ports:add vaultwarden http:80:80
dokku ports:add vaultwarden https:443:80
The first parameter is the protocol (http/https). The second value is the host port (80 and 443) and the third value is the container port (80) to map to your application.
Note: We forward port 443 to 80 to make it easier to set up SSL later. Vaultwarden will redirect to HTTPS automatically.
Persistant storage for attachments and database
Vaultwarden requires a persistant storage for attachments. You can use the Dokku built-in persistent storage plug-in to create a volume for this. Run the following commands:
dokku storage:ensure-directory vaultwarden
dokku storage:mount vaultwarden /var/lib/dokku/data/storage/vaultwarden:/data
Note: We will use the same space for the SQLite database to keep it simple and have one backup for attachments and the database.
Increase the upload size for attachments
I use Nginx Proxy as it is
part of default setup of Dokku. Nginx has a default upload size of 1MB. You have
to increase this by setting the client_max_body_size in the Nginx Proxy
configuration. Run the
following command on your Dokku machine:
dokku nginx:set vaultwarden client-max-body-size 20m
dokku proxy:build-config vaultwarden
This will increase the upload size to 20MB. You can adjust this value to your needs.
Note: The proxy:build-config command is required to rebuild the Nginx
Proxy config. If you want to change the upload size later, you have to run this
command again to rebuilt the Nginx config.
Create a Dockerfile
Deploying a Dockerfile to Dokku is pretty simple. We will use the official Vaultwarden Docker image.
Create a new directory on your local machine and create a new file called Dockerfile within this directory:
mkdir vaultwarden
cd vaultwarden
touch Dockerfile
Add the following content to the Dockerfile:
FROM vaultwarden/server:latest
EXPOSE 80
ENV DB=sqlite
If you want to have control over the version installed, you can specify the
version in the FROM line. For example, to use version 1.32.7, you can use this
Dockerfile:
FROM vaultwarden/server:1.32.7
EXPOSE 80
ENV DB=sqlite
If you define a specific version, you have to update the Dockerfile when a new
version to update the application. If you use latest, the application will be
updated on every deployment to the latest version.
Note: The ENV DB=sqlite can be set using Dokku environment variables. As I
want to have SQLite as the default, I set it in the Dockerfile. This way I don’t
need to care about the database setup in the Dokku environment.
Deploy the Dockerfile
Dokku requires git to deploy the app to
Dokku. Create a new
git repository in you vaultwarden directory and add the Dockerfile:
git init
git add Dockerfile
git commit -m "Add Dockerfile"
Your Dokku setup has a git remote repository. In this example I use
dokku.example.com as the domain. Add your Dokku instance as a remote repository:
git remote add dokku dokku@dokku.example.com:vaultwarden
git push dokku main:master
This will deploy the Dockerfile to your Dokku instance. Now wait until the deployment is finished before you continue with SSL.
Note: Git use main as default branch. Dokku uses master as default branch. That’s why we push main to master.
Setup SSL
To setup SSL, we will use Let’s Encrypt. Dokku has a Let’s Encrypt plugin for this. Install the plugin by running the following command on your Dokku machine if not already done:
dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
SSL should be handled by a central email address. Set the email address for your Dokku instance if not already done:
dokku letsencrypt:set --global email your@email.tld
Now you can enable SSL for your Vaultwarden app including the cron job for automatic renewal:
dokku letsencrypt:enable vaultwarden
dokku letsencrypt:cron-job --add vaultwarden
Now you have SSL enabled for your Vaultwarden app and be able to create your account.
Create your first user
Now you can access your Vaultwarden instance using your domain through SSL. Open your domain and create your first user. You can now use your password manager.
Stop new users from registering
If you want to stop new users from registering, you can disable the registration
by setting the environment variable SIGNUPS_ALLOWED to false. Run the
following command on your Dokku machine:
dokku config:set vaultwarden SIGNUPS_ALLOWED=false
dokku ps:restart vaultwarden
If you want to limit the registration to a specific email domain(s) check the wiki: Disable registration of new users.
Backup your files
To backup your attachments and database (for Sqlite only), you can use any backup solution you might already have in place. I recommend using restic. Restic is a great tool to backup your data to different locations like S3, Minio, or an scp server.
You can use restic to backup all your persistent data in the
/var/lib/dokku/data/storage directory. This way you don’t need to care about
a backup of every storage volume you have.
Email setup (optional)
If you want to use email notifications, you can set up an email server using SMTP configuration by setting environment variables for your Dokku app like this:
dokku config:set vaultwarden SMTP_HOST=smtp.example.com
dokku config:set vaultwarden SMTP_PORT=587
dokku config:set vaultwarden SMTP_SECURE=starttls
dokku config:set vaultwarden SMTP_USERNAME=<username>
dokku config:set vaultwarden SMTP_PASSWORD=<password>
dokku ps:restart vaultwarden
Replace the values with your SMTP server settings. You can test the email setup
by using the Send password hint feature on login.
Note: Don’t forget to restart your app after setting the environment.
Conclusion
Deploying Vaultwarden to Dokku is a great way to have your password manager running on your own server. You can use the existing Dokku setup to store your personal password manager.
By limiting access to a personal domain, you can limit the account creation to your friends and family while providing a secure way to store your and their passwords.