目录

Vaultwarden安装部署

Bitwarden是一个开源的密码管理器解决方案,拥有多平台客户端。它采用的方式是云端数据库、客户端同步和离线使用的模式,类似现在的1passwordvaultwarden是一个使用 Rust 编写的非官方Bitwarden服务器实现,它与官方的任意平台上的客户端兼容。bitwarden_rs项目现已更名为vaultwarden,本文基于CentOS8部署安装

编译安装

安装依赖

1
yum install -y mysql-devel openssl-devel

安装 Rust

1
2
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

编译安装 vaultwarden

1
2
3
4
wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.21.0.tar.gz
tar xzf 1.21.0.tar.gz
cd vaultwarden-1.21.0
cargo build --features sql_type --release

这里sql_type可以是多个数据,可以是sqlite或mysql,postgresql等数据库,二进制文件位于target/release/vaultwarden

编译大约需要5分钟,完成后复制二进制文件到 /usr/bin 目录下并赋予执行权限:

1
2
cp target/release/vaultwarden /usr/bin/vaultwarden
chmod +x /usr/bin/vaultwarden

接下来创建用于存放数据的工作目录并安装web-vault,工作目录为/data/vaultwarden

1
2
3
mkdir /data/vaultwarden && cd /data/vaultwarden
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.20.4/bw_web_v2.20.4.tar.gz
tar -xzvf bw_web_v2.20.4.tar.gz

由于编译编译web-vault需要至少1.5G内存,这里我就直接用作者预编译好的 web-vault

创建.env配置文件:

1
vim vaultwarden.env

官网模板

写入如下配置(部分内容需要修改):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
DATA_FOLDER=/data/vaultwarden

# 数据库连接地址
# DATABASE_URL=data/db.sqlite3
DATABASE_URL=mysql://user:password@host:port/database_name
# DATABASE_URL=postgresql://user:password@host[:port]/database_name

# 启用 WebSocket 通知
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=127.0.0.1
WEBSOCKET_PORT=3012

# 日志地址
LOG_FILE=/data/vaultwarden/log

# 后台登陆TOKEN
ADMIN_TOKEN=TOKEN

# 网站域名,IP,端口
DOMAIN=https://bw.hikoutei.com
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=8000  

# 邮箱设置(465端口需要开启SMTP_EXPLICIT_TLS)
SMTP_HOST=smtp.exmail.qq.com
SMTP_FROM=system@hikoutei.com
SMTP_FROM_NAME=HIKOUTEI
SMTP_PORT=465
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_USERNAME=USERNAME
SMTP_PASSWORD=PASSWORD

创建systemd服务:

1
vim /etc/systemd/system/vaultwarden.service

写入如下配置:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target

[Service]
User=root
Group=root
EnvironmentFile=/data/vaultwarden/vaultwarden.env
ExecStart=/usr/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/data/vaultwarden
ReadWriteDirectories=/data/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

设置vaultwarden开机自启:

1
2
3
systemctl daemon-reload
systemctl enable vaultwarden.service
systemctl restart vaultwarden.service

创建Nginx配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
server {
	listen 80;
	server_name bw.hikoutei.com; 
	return 301 https://$host$request_uri; 
}
server {
  listen 443 ssl http2;
  server_name bw.hikoutei.com;

    ssl_certificate /data/html/cert/bw.hikoutei.com.pem;   # 替换成您证书所在的文件位置。
    ssl_certificate_key /data/html/cert/bw.hikoutei.com.key;   #替换成您证书的密钥文件位置。
    ssl_session_timeout 10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;  #使用此加密套件。
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;   #使用该协议进行配置。
    ssl_prefer_server_ciphers on;

  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8000;
  }
}

参考

笔记