Skip to content

VaultWarden

Purpose: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs.

docker-compose.yml
---
version: "2.1"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - TZ=America/Denver
      - INVITATIONS_ALLOWED=false
      - SIGNUPS_ALLOWED=false
      - WEBSOCKET_ENABLED=false
      - ADMIN_TOKEN=REDACTED #PUT A REALLY REALLY REALLY SECURE PASSWORD HERE
    volumes:
      - /srv/containers/vaultwarden:/data
    ports:
      - 80:80
    restart: always
    networks:
        docker_network:
          ipv4_address: 192.168.5.15
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bunny-vaultwarden.rule=Host(`vault.bunny-lab.io`)"
      - "traefik.http.routers.bunny-vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.bunny-vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.services.bunny-vaultwarden.loadbalancer.server.port=80"
networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

ADMIN_TOKEN

It is CRITICAL that you never share the ADMIN_TOKEN with anyone. It allows you to log into the instance at https://vault.example.com/admin to add users, delete users, make changes system wide, etc.

.env
Not Applicable

Traefik Reverse Proxy Configuration

If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below. 

http:
  routers:
    bunny-vaultwarden:
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: vaultwarden
      rule: Host(`vault.bunny-lab.io`)

  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: http://192.168.5.15:80
        passHostHeader: true