Jump to content

User:Acmeraptor

From RiSKi
Revision as of 23:32, 13 April 2025 by Acmeraptor (talk | contribs)

Food

Menus

Recipes

Grandma's Fudge

  • Ingredients
    • 2 cups (12oz) semi sweet chocolate bits
    • 3 packages german sweet chocolate
    • 1 8oz jar? marchmallow creme
    • 2 cups broken nut meat
    • 4 1/2 cups sugar
    • 1/8 teaspoon salt
    • 2 tablespoons butter

bloovis.com

Bloovis 

Posts
Installing Vaultwarden Without Docker

Installing Vaultwarden Without Docker 📅 Oct 6, 2023 

·

☕ 6 min read 🏷️

  1. linux
  2. software

Update: the newer version of the Bitwarden Android app requires a newer Vaultwarden. This required some changes in the following procedure, mainly in using the “latest” docker image instead of the “alpine” image, and installing the required libmariadb3 and libpq5 packages.

I recently switched from using LastPass to BitWarden as my password manager. LastPass has always worked well enough in browsers, but there was no easy way to get it to work on so-called “smart” devices like Android phones, and there was no Linux application for managing passwords. I’d been using KeePassXC on Linux in parallel with LastPass, but keeping the two synced up manually was an error-prone annoyance.

Bitwarden solves these problems by providing Linux and Android applications, a web interface, and browser extensions that synchronize with each other. But using it still means being dependent on a third-party service, as with LastPass, and that makes me uncomfortable. I have my own domain and Linux server for it, and I’ve been using it to self-host this blog, an email server, an RSS reader, and Git repositories, so I thought it would be a natural next step to host a Bitwarden server there too.

Fortunately, there’s a lightweight Bitwarden-compatible server called Vaultwarden that can be used for self-hosting. But like Bitwarden and seemingly every other web service these days, it normally requires Docker for installation, which I’m trying to avoid.

I understand the motivation behind Docker: it’s a clever way to avoid dependency and build problems in trying to get software to work on a multitude of different Linux distributions. But to this old-school Linux admin, it seems like a terribly wasteful system. Each application using Docker has to package all of its dependencies – both libraries and related application problems – into a Docker image. It’s as if each program comes with multiple copies of its own user-space operating systems.

So I looked for a way to install Vaultwarden without Docker, and I came across this forum posting. The instructions posted by the user sockrocker were nearly perfect, with one tiny exception: the web-vault directory has to be moved to /var/lib/vaultwarden, not /opt/vaultwarden.

Install Vaultwarden For completeness, here is what I did to install Vaultwarden on my server. All of these commands should be performed as root, or prefixed with sudo.

First, create a directory to store the docker image temporarily:

mkdir vw-image cd vw-image Obtain the script for extracting the needed pieces of the Docker image:

wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract chmod +x docker-image-extract Extract the Vaultwarden Docker image:

./docker-image-extract vaultwarden/server:latest Create directories where Vaultwarden will be stored on the server:

mkdir /opt/vaultwarden mkdir /var/lib/vaultwarden mkdir /var/lib/vaultwarden/data Create a vaultwarden user and make the Vaultwarden data owned by it:

useradd vaultwarden chown -R vaultwarden:vaultwarden /var/lib/vaultwarden Move the Vaultwarden server program and data to their final destinations:

mv output/vaultwarden /opt/vaultwarden mv output/web-vault /var/lib/vaultwarden If things have gone well, remove the unnecessary bits:

rm -Rf output rm -Rf docker-image-extract Install two packages required by Vaultwarden:

apt install libmariadb3 apt install libpq5 Configure Vaultwarden Create the hash for a Vaultwarden admin password:

/opt/vaultwarden/vaultwarden hash You will be prompted for a password twice. Save the resulting output somewhere.

Create the file /var/lib/vaultwarden/.env with the following contents, substituting your own user name, domain, and SMTP details:

DOMAIN=https://www.example.com/vaultwarden/ ORG_CREATION_USERS=user@example.com ADMIN_TOKEN='<hash produced by vaultwarden hash earlier>' SIGNUPS_ALLOWED=false SMTP_HOST=smtp.example.com SMTP_FROM=vaultwarden@example.com SMTP_FROM_NAME=Vaultwarden SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us> SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_> SMTP_EXPLICIT_TLS=false # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o> SMTP_USERNAME=user@example.com SMTP_PASSWORD=mysmtppassword SMTP_TIMEOUT=15

  1. Change the following back to true to allow login on the web.

WEB_VAULT_ENABLED=false LOG_FILE=/var/lib/vaultwarden/vaultwarden.log Create the file /etc/systemd/system/vaultwarden.service with the following contents:

[Unit] Description=Bitwarden Server (Rust Edition) Documentation=https://github.com/dani-garcia/vaultwarden After=network.target

[Service] User=vaultwarden Group=vaultwarden EnvironmentFile=/var/lib/vaultwarden/.env ExecStart=/opt/vaultwarden/vaultwarden LimitNOFILE=1048576 LimitNPROC=64 PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=strict WorkingDirectory=/var/lib/vaultwarden ReadWriteDirectories=/var/lib/vaultwarden AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install] WantedBy=multi-user.target Now you should be able to start the Vaultwarden service and check its status:

systemctl enable vaultwarden systemctl start vaultwarden systemctl status vaultwarden | less The status should say that vaultwarden is running and that it is listening at http://127.0.0.1:8000.

Configure Apache Now we have to set up Apache as a reverse proxy, so that it will provide SSL protection to Vaultwarden, whose internal web server, Rocket, does not support SSL by default. I’m assuming that you already have SSL implemented on your Apache server, perhaps by using Let’s Encrypt, and that your base web site URL is https://www.example.com/ for illustration purposes.

First, enable the proxy module:

a2enmod proxy_http Tell Apache how to redirect the URL /vaultwarden from your base web site to Vaultwarden. Do this by adding a single line to the <VirtualHost *:443> section of your Apache site configuration. If you used Let’s Encrypt to obtain your SSL certificates, this configuration file might be at /etc/apache2/sites-enabled/000-default-le-ssl.conf. The line you need to add looks like this:

ProxyPass /vaultwarden/ http://127.0.0.1:8000/vaultwarden/ upgrade=websocket Restart Apache and check its status:

systemctl restart apache2 systemctl status apache2 If all went well, you should be able to visit the admin page of your Vaultwarden site by going to this URL in a browser:

https://www.example.com/vaultwarden/admin You will be prompted for a password, so enter the password you used earlier when prompted by vaultwarden hash. The configuration page should now appear.

Test SMTP You’ll want to make sure that your SMTP settings are correct. To do this, click on SMTP Email Settings on the configuration page, fill in your email address in the Test SMTP form, and click on Send test email.

User Signup If, like me, you are installing Vaultwarden for personal use, it is probably best for security purposes to disallow new signups in the general settings of the configuration page. However, you can send yourself (or trusted friends) an email invitation to sign up. Find this option in the Users tab; at the bottom of the page is an Invite User form.

User Login When you receive the signup invitation email, you’ll can respond to the invitation in a web browser. Choose a lengthy, secure password.

(Note: if the Brave browser hangs showing a spinning wheel when you try to log into the Vaultwarden web interface, it might be due to interference from browser extensions. Try removing the tampermonkey and BypassPaywalls extensions and clearing the browser cache.)

Once you log in to Vaultwarden, you can now import your Bitwarden vault. First export the vault as a JSON file in the Bitwarden browser extension, then import it into Vaultwarden using the web interface.

To use the Vaultwarden vault in the Bitward browser extension, log out of the extension in Settings / Account / Log Out. Then you’ll need to create a new account in the extension. To the right of “Logging in on:”, select “self-hosted” from the drop-down menu. You’ll be prompted for the URL of Vaultwarden, which should be https://www.example.com/vaultwarden/, using the examples above. A similar process can be used in the Linux Bitwarden app to switch to the Vaultwarden vault.

SELinux An alert reader has informed me that the following things need to be done if you’re using SELinux:

semanage fcontext -a -t bin_t '/opt/vaultwarden/vaultwarden' restorecon -RFv /opt/vaultwarden/vaultwarden setsebool -P httpd_can_network_connect on I don’t use SELinux, so I’m unable to try this myself.

See Also Postfix + Maildrop = Failure Tagging Ogg Vorbis music files for classical music Windows, UTC, and the hardware clock Linux on Lenovo Ideapad 3 Fixing Guest Session on Linux Mint 20 Postfix + Maildrop = Failure Using Pobox.com with Postfix What's on this Page


©2025, All Rights Reserved

Powered by Hugo and the Zzo theme


    • 1 tall can evaporated milk
  • Instructions
    • combine chocolate bits, sweet chocolate, marshmallow creme, and walnuts in a large bowl
    • combine sugar, butter, salt, and evaporated milk in large heavy saucepan, heat to boiling
    • !!! Get better pictures of the card dad has in order to write this up cleanly !!!

MariaDB

Use if PHPMyAdmin is not running: 

CREATE DATABASE my_wiki;
CREATE USER 'wikiuser'@'localhost' IDENTIFIED BY 'database_password';
GRANT ALL PRIVILEGES ON my_wiki.* TO 'wikiuser'@'localhost' WITH GRANT OPTION;
  • Note: Now that I have VaultWarden running, usernames and passwords will be managed through it. Also, vault should **ONLY** work with VPN access.

Mobile

Software and information about GrapheneOS. GrapheneOS only runs on Google devices currently, phones and tablets.

Software

Tips

  • Pressing power+volume up buttons to switch from an audible ring tone to vibrate (or mute) is enabled by default, causing missed important phone calls and text messages.

To modify, go to Settings > Sound & vibration > Shortcut to prevent ringing

  • Auto dimming has been an annoyance, it is supposed to learn tendencies/preference yet keeps dimming too low in low light conditions.

To modify, go to Settings > Display > Adaptive brightness

Read

Firearms

Locksport

Misc

Servers

Notes on server names and functions for planned future use.

Physical

  • hovp-rsk-uos00 : OpenStack - Currently in use, my clunky old laptop
  • iapp-rsk-owr01 : OpenWRT Wireless Router - Linksys router (model noted below this page). VPN client profile rebuild still pending.

Virtual

  • hovp-rsk-uss01 : Single Server - Single server holding these notes and plans, currently minimal setup of webapps.
  • hovt-rsk-uws22 : WebServer - Base Jammy Jellyfish OS. Minimal setup kept updated to use as a source for cloning other virtual servers.

Upcoming

The following will be strictly for RSK Solutions and demo models for future domains like Casper307 and NIALC

The following will be desktop environments available for use as remote appliances accessable from my home LAN and via VPN

Server Notes

These will eventually have their own individual wiki pages. For the sake of not migrating or losing notes later, they will be consolidated here.

Templates

Once a template virtual server is created, issue the following commands to pull my ACME code library from the OpenStack virtual server host's repository. 

mkdir /home/rkeeling/webapps
scp -r rkeeling@10.65.30.11:/home/rkeeling/RSK\\\ Solutions/VSCode/acme /home/rkeeling/webapps

Then issue "sudo visudo" to edit the sudoers secure path to include the new acme path 

Defaults        secure_path="/home/rkeeling/webapps/acme/.bin: ...

In order for this to be effective within the shell, logout and log back on. *I will change this to reloading the shell later*

At this point the scripts are executable anywhere. The following will update repositories, upgrade general packages, upgrade distribution packages (IE, kernel updates), remove old and unused packages. 

sudo getallupdates

Now, set the time zone for the server. In my case, CST 

sudo timedatectl set-timezone America/Chicago

The following may be ran to confirm the change to the local time 

sudo timedatectl status

At this point the template is fully up to date and can be shut down. The only maintenance needed is periodically running the getallupdates script.

Any new virtual server that is needed can be cloned from these versioned release templates to significantly cut down on setup time.

Template Clone

Following the clone of a template with newly generated MAC address, update the following two files and restart to permanently change the new server's name. 

sudo vi /etc/hostname
sudo vi /etc/hosts
sudo shutdown -Fr now

The appropriate installation script can be issued depending on the server's purpose.

Shop

Auto

Firearms

Gear

Home Office

Locksport

Paracord Lanyards

Software

Open-source and purchased *licenses

WebApp Downloads

Windows VM

The VM needs a minimum of two cores and 4Gb memory to run. The following steps will bypass the hardware checks to allow Windows 11 to install:

Click next to show-up the "Install now" button; when you see the installation button, press "Shift+F10" on your keyboard at the same time to launch a command prompt. At this command prompt, type "regedit" and press enter to launch the Windows Registry Editor.

When the Registry Editor opens, navigate to "HKEY_LOCAL_MACHINE\SYSTEM\Setup", right-click on the "Setup" key and select "New => Key".

When prompted to name the key, enter "LabConfig" and press enter.

Now right-click on the "LabConfig" key and select "New => DWORD (32-bit)" value and create a value named "BypassTPMCheck", and set its data to "1". With the same steps create the "BypassRAMCheck" and "BypassSecureBootCheck" values and set also their data to "1", so it looks like the following image.

With those three values configured under the "LabConfig" key, close the "Registry Editor", and then type exit in the "Command Prompt" followed by enter to close the window. You can now click on the "Install now" button to proceed to get "Microsoft Windows 11" installed as a virtual-machine on top of VirtualBox.

WRT3200ACM

This router has a dual boot partition that has several methods of switching from the A/B partitions. Also, information on for OpenVPN.

Logical

  • SSH into your router
  • You can see what partition is currently being booted from by running: /usr/sbin/fw_printenv -n boot_part
  • Mine was booting from partition 1, I needed it to boot to partition 2.
  • Tell the router which partition to boot from: /usr/sbin/fw_setenv boot_part 2
  • Reboot the router by running: reboot
  • Change the number "2" in step 4 to whatever partition you need. I couldn't find a command that would show what my boot options were. So I tried 0 first, which did nothing, then tried 2. Boot partition 2 was the correct one for me.

LuCI

Install the LuCI-app-advanced-reboot package. This is the easiest method.

OpenVPN

OpenWRT/OpenVPN Use this as a baseline for rewriting the scripts, as they do not work as published.

  • This section is being heavily edited until I work out the kinks

Creation

This is going to be my third and final profile. The first lasted the ten years it was meant to, the second lasted three years and could not be recovered due to configuration hiccups. My personal one will be set to 100 years, far beyond my expected lifetime. Things may adjust if I allow another user access, but as of yet - no one has asked.

Install all needed apps beforehand: 

opkg update

opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

The following four scripts can be created under the /root path and will need to be chmod to executable. 

sudo chmod +x *.sh
1-preparation.sh
# Install packages
opkg update
opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

# Configuration parameters
VPN_DIR="/etc/openvpn"
VPN_PKI="/etc/easy-rsa/pki"
VPN_PORT="1194"
VPN_PROTO="udp"
VPN_POOL="10.65.9.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)"

# Fetch server address
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ -n "${NET_FQDN}" ]
then VPN_SERV="${NET_FQDN}"
else VPN_SERV="${NET_ADDR}"
fi
2-keymanagement.sh
# Work around EasyRSA issues
wget -U "" -O /tmp/easyrsa.tar.gz https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.2/EasyRSA-3.2.2.tgz
tar -z -x -f /tmp/easyrsa.tar.gz

# Configuration parameters
cat << EOF > /etc/profile.d/easy-rsa.sh
export EASYRSA_PKI="${VPN_PKI}"
export EASYRSA_TEMP_DIR="/tmp"
export EASYRSA_CERT_EXPIRE="36500"
export EASYRSA_BATCH="1"
alias easyrsa="/root/EasyRSA-3.2.2/easyrsa"
EOF
. /etc/profile.d/easy-rsa.sh

# Remove and re-initialize PKI directory
easyrsa init-pki

# Generate DH parameters
easyrsa gen-dh

# Create a new CA
easyrsa build-ca nopass

# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem

# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
3-firewall.sh
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${VPN_PORT}"
uci set firewall.ovpn.proto="${VPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
service firewall restart
4-vpnservice.sh
# Configure VPN service and generate client profiles
umask go=
VPN_DH="$(cat ${VPN_PKI}/dh.pem)"
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)"
ls ${VPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r VPN_ID
do
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)"
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)"
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)"
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)"
case ${VPN_EKU} in
(*"SSL server : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${VPN_PORT}
proto ${VPN_PROTO}
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${VPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac
cat << EOF >> ${VPN_CONF}
<tls-crypt-v2>
${VPN_TC}
</tls-crypt-v2>
<key>
${VPN_KEY}
</key>
<cert>
${VPN_CERT}
</cert>
<ca>
${VPN_CA}
</ca>
EOF
done
service openvpn restart
ls ${VPN_DIR}/*.ovpn

Restoration

Configuration backups do NOT include the downloaded software packages, learned this the really hard way... On any new or refreshed partition image, the following lines !MUST! be run !FIRST! to ensure that the software is in place prior to restoring a configuration!

Login to the router, navigate to System > Backup / Flash Firmware > Reset to defaults > Perform reset (this is destructive, save your working configs if you have them)

After clearing the /overlay directory, issue the successive commands to reload the needeed packages: 

opkg update

opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

Then find your working config and navigate to System > Backup / Flash Firmware > Restore backup: <pick the appropriate file name>

Physical

Power cycling the router 3 times in quick succession When it powers on the power LED turns on then will go out briefly, This is when you turn it back off do this again and on the 3rd cycle, leave it powered on and it should boot back to the other partition.

Youtube

Locksport

Paracord Lanyard Tying

With 550 7-strand core paracord -- 108 inches (9 feet) from the reel for the grab handle.

With 550 7-strand core paracord -- 192 inches (16 foot) from the reel for the lanyard. The twisted portion should be about 42"-43" in length as it turns out shorter than expected after the braid and just daily use of folding and is not meant to not be completely rigid, the extra room is to allow for alot of flexibility. When braided, it can turn out shorter than estimated. No two of these will be exactly the alike!

  • Note 1: I will use the same color cord for the lanyard as the carabiner unless asked to make a three color variant, or if I feel squirrelly.
  • Note 2: I have the "leftovers" mantra running through my head the whole time. On the first half for sizing, twist left strand left side left to avoid snags, and place it over the right, and so on. On the braid part, start with the left strand through a twist and put the right strand under the left one.
  • Note 3: Related to note 2, pay attention and try not to miss braiding a twist. It is maddening to spot it ten minutes later, unravel to that spot to fix it.
Retrieved from "https://wiki.rsksolutions.org/index.php?title=User:Acmeraptor&oldid=219"