Eric Crowder

How to Setup bitwarden_rs on a Alpine Linux Virtual Machine

2020-03-11

Previously, I described how to deploy bitwarden_rs using AWS Fargate. Fargate is a great service, but is relatively expensive and a bit overkill for simple, lightweight deployment use cases.

For a cloud deployment of bitwarden_rs, we really just need a dedicated VM. Fortunately, we have a few options:

For more info about the Bitwarden project, see the aforementioned post.

For this post, we will be setting up bitwarden_rs using Alpine Linux. Linode is a great choice for this distribution as they offer Alpine Linux images for all of their VM options. However, these instructions should port fairly easily to other Linux distros - just substitute the applicable package manager in for Alpine’s apk.

setup

Launch a Alpine Linux VM and update the operating system and related packages:

install docker

 * Caching service dependencies .. [ ok ]
 * Mounting cgroup filesystem .. [ ok ]
 * /var/log/docker.log: creating file
 * /var/log/docker.log: correcting owner
 * Starting Docker Daemon .. [ ok ]

install sqlite

bitwarden_rs uses sqlite as its database. In order to interact with it, we will need to install the sqlite client.

get bitwarden_rs image and run

CONTAINER ID IMAGE                     COMMAND
eb9df44334a0 bitwardenrs/server:latest "/bitwarden_rs"

add a domain

In order to use HTTPS, we need to assign our VM a domain and generate a HTTPS certificate. Each of the major cloud providers (Amazon, Google, Azure) provide simple solutions for managing the DNS of a particular VM. Digital Ocean and Linode also provide similar DNS solutions. So, pick a domain name of your choosing and set it up for your VM.

setup https via lets encrypt

completion

sudo docker run -d --name bitwarden
-e ROCKET_TLS='{certs="/ssl/live/
YOUR_DOMAIN_HERE/fullchain.pem",
key="/ssl/live/YOUR_DOMAIN_HERE/privkey.pem"}'
-v /etc/letsencrypt/:/ssl/
-e SIGNUPS_ALLOWED=false
-e WEB_VAULT_ENABLED=false
-v /bw-data/:/data/
-p 443:80
bitwardenrs/server:latest
-e SIGNUPS_ALLOWED=false
-e WEB_VAULT_ENABLED=false