diff --git a/docker/Installation Procedure Vaultwarden on Docker.md b/docker/Installation Procedure Vaultwarden on Docker.md new file mode 100644 index 00000000..f7e041e6 --- /dev/null +++ b/docker/Installation Procedure Vaultwarden on Docker.md @@ -0,0 +1,277 @@ +# Vaultwarden Installation + +The goal of this procedure is to simplify the installation of Vaultwarden using Docker. + +Prerequisites: +A Debian machine virtual or physique; *the method works on multiple distributions, but commands may need to be adapted for Docker installation.* + +## Docker Installation + +### Configure the Docker Repository + +*Source: * + +1. Update the package list: + + ```sh + sudo apt-get update + ``` + +2. Install the necessary packages: + + ```sh + sudo apt-get install ca-certificates curl gnupg + ``` + +3. Create the directory for the repository keys: + + ```sh + sudo install -m 0755 -d /etc/apt/keyrings + ``` + +4. Download and add the Docker GPG key: + + ```sh + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg + ``` + +5. Change the permissions of the GPG key: + + ```sh + sudo chmod a+r /etc/apt/keyrings/docker.gpg + ``` + +6. Add the Docker repository to the APT sources list: + + ```sh + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo $VERSION_CODENAME) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + ``` + +7. Update the package list to include the Docker repository: + + ```sh + sudo apt-get update + ``` + +8. Install the necessary Docker packages: + + ```sh + sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + ``` + +### Verify Docker Installation + +9. Check the status of the Docker service: + + ```sh + systemctl status docker + ``` + +10. If Docker is "active (running)", enable the Docker service to start automatically after the machine reboots: + + ```sh + sudo systemctl enable docker + ``` + +### Useful Docker Commands + +- `docker ps -a`: Shows all containers, including their status, creation date, age, name, and ID. +- `docker stop ` / `docker rm `: Stops (`stop`) and removes (`rm`) a container by adding its ID. +- `docker compose up -d`: Runs the `docker-compose.yml` file to start the containers in detached mode (`-d`). + +#### Command Details + +##### `docker ps -a` + +Displays all containers, whether running or stopped, with information such as: + +- Container ID +- Image used +- Command executed +- Creation date +- Status (running, stopped, etc.) +- Exposed ports +- Container names + +##### `docker stop ` / `docker rm ` + +- `docker stop `: Stops a running container. +- `docker rm `: Removes a stopped container. + +**Example:** + +```sh +docker stop 1a2b3c4d5e6f +docker rm 1a2b3c4d5e6f +``` + +## Creating Self-Signed Certificates with OpenSSL + +*For this part, we will use self-signed certificates. In production, we will reproduce this step by copying the certificates.* + +1. Once Docker is installed, we will need certificates for connecting to the VaultWarden web interface. To do this, create the `/ssl` and `/docker` directories at the root of our Debian machine if they don't already exist: + + ```sh + mkdir /ssl + mkdir /docker + ``` + + */ssl will be used to store the .csr, .crt, and .key files we will create, and /docker will contain the configuration files for our containers.* + +2. Continue by generating the self-signed certificates. Move to the `/ssl` directory: + + ```sh + cd /ssl + ``` + +3. Create the following four files: .pem, .key, .crt, and .csr: + + ```sh + openssl genrsa -des3 -out vaultwarden.key 2048 + openssl req -x509 -new -nodes -key vaultwarden.key -sha256 -days 10000 -out vaultwarden.pem + openssl genrsa -out vaultwarden.key 2048 + openssl req -new -key vaultwarden.key -out vaultwarden.csr + openssl x509 -req -days 10000 -in vaultwarden.csr -signkey vaultwarden.key -out vaultwarden.crt + ``` + + *Note: The generated certificate is valid for 10,000 days (about 27 years). This variable can be adjusted as needed. If necessary, a new certificate can be reissued on the machine using the CA created above.* + +## Creating Docker-Compose.yml and CaddyFile Configuration Files for Deploying Containers + +### A. Creating the Caddyfile + +1. Access the `/docker` directory and create the files necessary for deploying the Caddy and Vaultwarden containers via Docker. Start with the Caddyfile: + + ```sh + nano Caddyfile + ``` + +2. Copy the following content into it: + + *The first line corresponds to the title of our vaultwarden page, which will be accessible via a web browser.* + + ```sh + *your domain name* { + tls internal + + encode gzip + + reverse_proxy /notifications/hub vaultwarden:3012 + reverse_proxy vaultwarden:80 + } + ``` + + *To save, simply press Ctrl+X and then O.* + +3. With the CaddyFile created, proceed to the docker-compose.yml file: + +### B. Creating the Docker-Compose.yml File + + ```sh + nano docker-compose.yml + ``` + + Copy the following content: + + ```sh + version: '3.7' + + services: + vaultwarden: + image: vaultwarden/server:latest + container_name: vaultwarden + restart: always + environment: + WEBSOCKET_ENABLED: true + ADMIN_TOKEN: #YourAdminToken + DOMAIN: "YourDomain" # Your domain; vaultwarden needs to know it's https to work properly with attachments + volumes: + - vw-data:/data + + caddy: + image: caddy:2 + container_name: caddy + restart: always + ports: + # Needed for the ACME HTTP-01 challenge. + - 443:443 + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile:ro + - ./ssl:/ssl + - caddy-config:/config + - caddy-data:/data + - caddy-logs:/logs + environment: + - DOMAIN= # Your domain. + #EMAIL: "YOUR EMAIL" # The email address to use for ACME registration. + #LOG_FILE: "/data/access.log" + + volumes: + vw-data: + caddy-config: + caddy-data: + caddy-logs: + ``` + +### C. Enabling the Admin Console + +These lines enable the admin console: + + ```sh + WEBSOCKET_ENABLED: true + ADMIN_TOKEN: YourAdminToken + ``` + +**They can be omitted or modified to hide the admin console token (password).** + +4. To hide the token, add these lines: + + ```sh + WEBSOCKET_ENABLED: true + # Reference the secret + ADMIN_TOKEN_FILE: "/run/secrets/admin_token" + + secrets: + admin_token: + file: ./admin_token.txt + ``` + +5. Next, create the `/run/secrets` directory and the `admin_token.txt` file. Enter the following into this file: + + ```sh + echo "*OurVaultWardenAdminToken*" > admin_token.txt + ``` + +### Starting the Docker Containers + +1. To start our containers, run the following command: + + ```sh + docker compose up -d + ``` + + To verify the containers are running properly, use the command: + + ```sh + docker ps -a + ``` + + Then, open a browser and enter your Vaultwarden domain here: + + To access the admin console, simply go to + + Although the connection is established via HTTP, it will be automatically redirected to HTTPS by accepting the risks associated with self-signed certificates. + + **Vaultwarden needs to be run in HTTPS for account creation.** + + VaultWarden is now operational. + + You need to set up DNS autorization for your Vaultwarden with your + +2. Useful Docker Commands + + ```sh + • docker ps -a : #View running containers, creation date, container age, name, and ID. + • docker stop /rm *container id*: #Stop (stop) and remove (rm) a container by adding its ID. + • docker compose up -d : #Launch docker-compose.yml to run the containers. + ```