Installing a Vaultwarden Server for Bitwarden

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone I'm Jacob kauf and I'm the nerd on the street and today we're setting up a vault Warden server for the bit Warden password manager [Music] okay everybody it has been quite a while since I've made a video so I hope I'm not too rusty like I said today we're setting up a password manager and there are a few things I want to talk about before we actually get into the installation first of all if you're not aware a password manager is an application on your computer that keeps track of all your passwords for you there are a lot of different websites online most people have dozens or even hundreds of accounts and it's bad practice to use the same password for every account because if any one of those websites gets hacked or something like that then it means all of your passwords all of your accounts would be exposed you want to use a unique and strong password on every single website that you sign up for every single service every single computer that you have as well but it can be difficult to remember all of those passwords so a password manager keeps them all in one place and it remembers them so that you don't have to now I used to be against password managers in general it seems to me like a bad idea to put all of your passwords in one virtual location because it means that if anybody hacks into that password manager they get all of your account instead of just one and for that reason I made a video a few years back unboxing this Rolodex and I used paper on a Rolodex for a long time to keep track of my passwords before I got this I had a notebook that I just put everything in on a single page but then it got difficult to find the passwords that I needed because they weren't sorted the Rolodex is nice because you can take Pages out and put them in other places so you can make sure that it's all alphabetically organized now the Rolodex actually was not as convenient as I imagined especially as I got a little bit older and some of my priorities started to change in terms of technology that I use the biggest problem with the Rolodex is that when I'm traveling I don't have access to it you know when I first moved from St Louis to Denver I was 800 miles away from this Rolodex and so when I needed to go and sign into a website I had to go and have somebody in St Louis get this Rolodex out and send me a picture of it because it was not in the backpack that I took the first time that I made the trip over here that obviously also suggests the second vulnerability anybody who has physical access to your premises anybody who has access to your desk can see the Rolodex and they can you know take pictures of the Rolodex fairly quickly in my argument at the time was that if your physical security is compromised your digital stuff is only a matter of time until that's compromised as well which is a valid point but still the Rolodex is just a little too easy and convenient for other people to walk up to especially you know now that I'm living with a roommate for instance I of course trust my roommate not to walk into my room and look at my belongings but you know the point is the vulnerability is there but yeah the biggest thing that changed my mind about password managers was really that I knew I was going to be doing more traveling going more places and I also have a lot of different computers and I've got phones and tablets and I need to be able to access as many of my accounts as possible ideally all of them from any of those devices and so a password manager especially one with syncing capability or with cloud-based storage can really make a difference in how convenient it is to sign in to different websites now in my opinion a password manager that just sits on your computer and does not sync there's just a single copy of it you need to be in front of this computer to access it it's still not as convenient and it's still not worth using that sort of password manager over something like a Rolodex however there's a fairly popular cloud-based password manager called bit Warden and when I say cloud-based I mean there is an official bit Warden instance the bit Warden the company runs and if you want to just sign up and use their instance you can do that part of the reason why bit Warden is secure is because it makes you select a master password and that's basically one really strong password you do have to remember that one because that password is used to encrypt all of your other passwords so as long as nobody guesses that master password then the rest of them are theoretically safe even from the person who is running the server however even with that in mind I am still a little bit too paranoid to keep all of my passwords even in encrypted form on somebody else's server however last year or I guess two years ago now I built a Nas a network attached storage box and I'm running some web services on that Nas and bit Warden is one of the services that I'm running on it and I was excited to make a video about this because I'm I'm not sure I can stress enough how often I find myself using bit Warden I mean I use it I think more often than standard notes more often than telegram I mean like it's it's an application that I open up every single day I use bit Warden basically every day so it works very well I'm very happy with how it's working for me and I wanted to show you guys in case you want to set up your own instance of bit Warden how you can do it easily now bit Warden is an interesting application there are actually two components to the server there's the bit Warden server itself that actually manages the password database and then there's the bit Warden web application that lets you go to a website and connect to that bit Warden server the reason why it's important to distinguish those is because bit Warden also has different apps you know if you've got a Linux computer for instance it's an electron application on PCS but bit Warden also has native apps for Android and iOS so on your phone you can download that app and it connects to the same back end bit Warden server it just doesn't go through the bit Warden web front end the reason why it's important to understand how complicated it is is because like I said today we're setting up something called Vault board in and this is actually a re-implementation of the bit Warden protocol in a different programming language so bit Warden is written in c-sharp and on Linux you might be more familiar with the term mono which is the open source implementation of c-sharp it's not exactly a very standard language it is very popular on Windows based platforms and the official bit Warden server can run on Windows servers but that means that on Linux it's not the most straightforward thing to get running and the bit Warden company they've got a guide on how to set your own server up but the only option that you have if you're following their guide is to run it in a Docker container not even a single Docker container though the official bit Warden server and web client they actually run in separate Docker containers and then the recommendation from but Warden themselves is to use Docker compose to set up multiple containers at the same time now if you've been following my channel for a while you probably know that I am a little adverse to containerization a lot of the time I prefer to set programs up directly things like next Cloud collabora jitsi these are all things that are sometimes easier in certain situations to set up using Docker or other container systems but I usually prefer to set apps up natively running on as close to Bare Metal as possible or at least you know on a virtual private server so that I can manage all of the configuration and I don't have to worry about overhead or the more complicated configuration for those container platforms so I started looking for alternatives to That official bit Warden server and there's one called Vault Warden it was originally called bit Warden RS and so Vault Warden is basically a rewrite of bit Warden by a third party it's not officially created by the people behind bit Warden itself but Vault Warden is written in Rust and it's not a hard rule but as a general guideline rust applications tend to be very fast they also tend to be very secure because a lot of the security vulnerabilities and also instability issues that you get in other programming languages such as memory leaks or segmentation faults they are very difficult to actually do in Rust rust the compiler checks for those issues and does not even let you compile the program if certain issues are going to occur it is still possible to write bad applications in Rust and the programming language has functions built in that you can use to circumvent some of those safety features but just as a general rule of thumb rust is fast and rust is secure which are two things that C sharp from Microsoft isn't necessarily always so I really like Vault Warden because it's written in Rust and for a password manager especially you want it as secure as possible I also like it because it's a little bit simpler to set up than bit Warden now Vault Warden also strongly recommends or kind of requires that you set it up through Docker now with Vault Warden it is actually simple than enough that if you want to they say that you can download the docker container and then extract the binary from within that Docker container so you can run the binary on bare metal if you want to however Vault Warden does not officially publish any pre-built binaries they only publish the source code and their Docker containers so the docker container is really the supported way to run Vault warden so I'm going to show you how to set this up today we're not going to use Docker itself but we're going to use the docker image and we're going to use it with an application called podman podman is an application written by red hat and it's basically just an alternative interface to Containers it does work with Docker containers it might also work with some other container formats Docker is obviously the most popular container format so the steps that we're going to use in the command we're going to run to start the podman container is actually almost the same as what you would do if you were using Docker itself now I prefer podman because it is easier to set up integration with the rest of the system at least on Linux if you're running systemd which you are if you're using Debian or red hat or Centos or any of the other major Linux distributions you're using systemd for your init system Docker actually kind of has its own in its system built in it manages the containers itself podman is meant to integrate with other Linux components and so you can actually generate systemd service files to start and stop your podman containers so I feel a little bit more comfortable using podman and to be clear I'm not even on a red hat distribution I'm on Debian on my Nas I'm going to show you how to set this up on Debian today but since podman is open source it is in the repository for Debian and unlike Docker which strongly recommends that you don't use your distributions packages Docker really wants you to add their third-party repository to install Docker podman once again it's part of the Linux ecosystem so it's going to be in your distributions repositories you install it you run the commands now for those of you once again who have been around for a while I know Docker and containers might be scary for you they were scary for me at first I learned a little bit about podman when I did my red hat certified system administrator certification a couple of years ago the thing about containers or anything else in open source is really it's not scary if you understand it now I do still like to avoid complication when possible but once again this is just going to be the simplest and most supported way to run this application so we are going to do this with podman today however I'm not just going to give you the command to copy and paste I'm actually going to walk you through every single flag that we're putting into that very long command so that you understand exactly what you're doing and what you might need to change if you're going for a different configuration than I'm going to show you so yeah that was kind of a long-winded explanation but I wanted to go over all of that just because I've been very vocally against Docker containers in some of my past videos I wanted to explain why I'm okay with using them now I wanted to explain why I'm okay with using password managers now but without further Ado I do hope that this application could be helpful to some of you so let's cut to the desktop and set this thing up okay everyone and here we are on the desktop so the first thing we're going to do is just set up a virtual private server to install this application on obviously this is a very sensitive application so you do want to choose a VPS that you can somewhat trust even though your password database like I said earlier will be encrypted personally I would recommend going with linode if you don't have your own server I'm going to show you how to do this on digitalocean just because I have a lot of credit built up on here but you can also use your own server if you've got one it just needs to have Debian 11 installed so I'm just going to select the closest data center to me that should be fine once again we're using Debian 11. the instructions should also work on Debian 12. I have not tried wn12 yet so I'm not sure what tweaks might be needed but 11 is the latest version at this time this is a pretty lightweight application the official bit Warden server is a little bit heavier but Vault Warden is pretty light once again because it is written in Rust just to be on the safe side here I'm going to go with one gigabyte of ram we only need a single CPU for this I'm going to select my SSH key here so that I can sign in to the droplet without having to enter a password if you're using your own system or if you need to just use the password option if you don't have SSH you set up you're fine to do that that will not affect the tutorial and I'm just going to set our host name here I'll call it PW server so I'll go ahead and let digitalocean create that droplet here and it has been about six months since I've made a video but I too recall digitalocean uh giving you a little bit more feedback when you go to create a droplet I'll just try refreshing the page there there we go now as soon as we have the IP address here I'm going to copy that and we do want to set up a domain name so that we can set up SSL with let's encrypt SSL itself TLS does not technically require you to use a domain name but let's encrypt does require a domain name so we're going to copy that IP address I'm going to come over to my DNS settings for nerdofthestreet.com we're going to do this with example.nerdonthestreet.com and I'll just paste in the IP address there I'll set the TTL pretty low since I'm going to delete this later but that is uh entered into the DNS database now so that should be propagated by the time we need it later in the meantime though I'm going to minimize this web browser I'm going to open up a terminal drag that into view here and we're going to go ahead and SSH into our server here I'm going to log in directly as the root user you don't want to be logged in as root all the time especially on a desktop system but when we're just setting a server up it does make sense to be signed in as root if you're not already logged in in his root you can do that by typing sudo-i or you can just figure out which commands needs to do it's probably going to be most of them now all of the commands I'm about to run I do have written on a website so check the description for the link to that website and you can copy and paste the commands from there if you're following along so the first thing we're going to do on our Debian server is just run a quick apt update to make sure that we're all up to date with all of our packages that are already installed okay we do have about 80 packages that can be upgraded so we'll do an apt full upgrade to install all of those since we have an open SSH update here we get a prompt I'm just going to keep the current version of our configuration just the defaults that digitalocean put in there and we are up to date I did see we had a kernel update so it's a good idea for us to reboot we also had a dbus update that specifically asked us to reboot so we'll go ahead and do that and we'll just SSH right back in here might take us a couple of tries while that's still booting and we are connected once again so now we can actually get started we're going to install some prerequisites for Vault Warden itself the only two prereqs we have are podman and mariadb server so we are going to run Vault warden in a Docker container with podman however we are also going to set up a mySQL database with mariadb and we're going to do that on the host system because with containers you really want to be able to delete the container and start over without losing any data that's kind of what happens when you install an update to a container is you're kind of deleting the old container and making a new one so anything that you want to persist such as in a database you do want that to be outside of the container you could use a second podman container just to run Mario DB if you wanted to but that's a little bit over complicated I think and that's done now the mariadb database that we're going to set up will hold things like user configuration however we do also need a directory that's going to store some files configuration files as well as the encrypted password database itself so we're going to run maker and we're just going to make this on the root of the server so it's really easy for us to remember where it is I'm going to put it at slash Vault Warden Dash data you can call this whatever you want and you can put it wherever you want just remember where it's at for later I'm going to clear my screen here and we're going to run MySQL secure installation with underscores in between there this is going to set up our Mario DB server just a little bit more securely now the mariadb packaging for Debian is already pretty secure we don't have a root password to start out with so we'll just hit enter as you can see we have a notice you already have your root account protected so you can safely answer no so we're just going to hit no for both of those we will go ahead and remove Anonymous users and we will disallow root login from remote systems we will also remove the test database and we will reload privilege tables to apply all of that clearing the screen once again we will actually enter Mario DB with the Maria DB command and we're going to set up that mySQL database for Vault Warden now we're going to run create database Vault Warden create user Vault Warden at localhost identified by password and we will grant all privileges on vault Warden all tables 2 Vault Warden at localhost and if you're typing this manually the user information does need to be surrounded by single quotes and that's everything we need to do for MySQL so we will quit out of Mario DB and we'll clear the screen once again so next we are going to run the podman command that is going to fetch this Docker container and start it now this is a really long command so I'm actually going to copy it from the website that I told you about I'm going to paste it right in here however I am going to go through and explain what every single one of these flags does and all of this information is also available on that web page so if you ever need to tweak your configuration if you need to figure out what all of these things do and how to change something you can go here and refer to it at any time so the first word here is podman we are running the podman application and we're using the argument run so it's podman run Dash D is short for dash dash detach that tells podman to run this container in the background and not tie up our terminal here just sitting inside of that container the dash dash name option is going to set our name for the container we're just going to call it Vault Warden this is actually optional if you don't specify a name you'll get a random string of letters and numbers that's going to be its ID I would highly recommend setting a name that's easy to type because you are going to need to either use the name or the ID in some of the later commands so that's why we're setting this next we have dash dash Network host now this option is going to allow this container to actually use the same network as the host system I do want to point out if you are running a lot of different podman containers and some of them have proprietary applications inside of them you might not always want to use Network Host this is a little bit insecure it also exposes the d-bus interface on the host so basically some of the containerization is mitigated by just opening up the entire network to the container and because this is a little bit less secure network host actually does require you to run this podman command as root so if you're specifically going out of your way to not run this container as root then you will not be able to run dash dash Network work host if you're doing that I just want to mention there is another flag that you can use it's Dash p for publish and if you use that you can choose the host Port that you're going to use and then the container Port that you're going to use the host Port comes first so this is how you would set up a port mapping between the container and the host if you are not using the host Network however do be aware that if you were going to use a port a host Port that is privileged you would still need to run that as root anyway I'm going for Simplicity here I'm going for not over complicating things so we are just going to use the host Network once again Vault Warden is an open source application and I kind of trust it to not try to access anything that it doesn't actually need I'm running this in a container for convenience of setup I'm not running it in a container because I want to restrict it necessarily the next option we have is Dash V for volume and this is going to specify a volume that we're mounting inside of the container now we set up that slash Vault word and dash data directory earlier it is a directory so we have a trailing slash at the end and we're just saying we want this directory on the host to be mounted to slash data inside of the container the reason we're using slash data is just because Vault Warden is set up to look at that directory by default and use that directory for its configuration now this colon capital Z at the end here that is going to give the container right access and it's also going to say we don't want podman to allow any other containers to mount this directory this directory is kind of sensitive it is our password database that is going to be stored here so even though it's encrypted we don't want other containers to accidentally be able to mount this that's why we're using a capital Z you do need to give Vault Warden write access to this directory for it to work at all but just for your future reference if you ever need to have multiple containers accessing the same host directory you would just change this capital Z to a lowercase z and that would allow multiple containers to mount that at the same time that's the end of our podman specific options although the rest of these are Dash e those are environment variables the that we are passing to the Vault Warden application inside of the container the first one is rocket underscore Port equals 8080 we're telling Vault Warden we want to run on Port 8080. now we are going to use Apache later to forward traffic to this port the reason I'm using Apache is kind of two-fold for one it's going to allow us to set up TLS a little bit easier and not have to worry about SSL TLS configuration inside of the container for another thing I want to show you how to do it with Apache because it's really common for me to run multiple applications on the same server and it's just a lot easier if you have an app like Apache managing the traffic you know if we just set this to Port 80 or Port 443 right here you wouldn't be able to run any other web apps on the same server because that Port would be taken up exclusively by Vault warden so we're using port 8080 really you can set this port to whatever you want just remember what it is because we are going to have Apache forward to this port later next we have another environment variable this is the database URL so this is MySQL colon slash we're just saying it's a remote mySQL database the URL syntax here is username colon password at the location of the server which is the Local Host once again since we're specifying that we're using the host Network the container will be able to connect to localhost using just the localhost address 127.0.0.1 I guess it's called the loopback address technically and we're specifying colon 3306 3306 is the default Port that Mario DB is going to serve on and finally we have slash Vault Warden the part that comes after the slash is the name of the database that we're going to try to use so that's the longest option right there and the last environment variable that we have is the admin token now I've set this to random secret string if you are deploying this in production if you're following along at home you should replace everything in between these two single quotation marks with an actual random secret string this is going to show up in your bash history assuming you didn't add a space at the beginning of this command and so this isn't the most secure secret string in the world but you absolutely don't want to tell anyone else about it the string that you put here is going to be used by Vault Warden sort of as a master admin password when you're performing certain administrative tasks so those are all of the options and then we just have the last argument of the command here and this is telling podman what container we actually want to start now the docker colon slash slash at the beginning here that's just telling podman this is a Docker image and we want to fetch it from Docker Hub Vault Warden is the organization that's publishing the image server is the name of the image and then cold and latest that is the version now if you want to verify where your software is coming from that you're about to run you can just go to hub.docker.com once again it's sort of hard-coded into podman that if we use Docker colon slash slash it's going to get it from here hub.doccer.com so there we can just search for Vault Warden and if we do that the first couple of results are going to be from when it was called bit board and rs but if we scroll down a little bit farther here this is the image we're running it's Vault Warden server so if we click on that we can see some information we can see when it was updated we do have an author page you can go and look at if you want to kind of verify where this is coming from now you'll notice there's not exactly anything on this page that would verify this is the real Vault Warden organization now on vault warden's GitHub page they do link to the docker setup I mean right down here on the readme they've got the uh the name of the docker image so they're verifying externally that this is the correct organization but another useful thing you can do here on the docker Hub website it's not foolproof but just take a look at the number of times this has been pulled this particular image has been installed by people 50 million plus times so 50 million installs would be a lot if they were actually tricking people if this was an illegitimate image that would be a lot of people that they've managed to trick by now in all likelihoods somebody would have noticed if it was malicious by the time it gets to 50 million downloads once again that's not a hard rule obviously just a couple of uh really common sense and easy things you can do if you are concerned about verifying which particular image you're installing but yeah everything in between the run and the name of the image these are all just options the command that we're running is really just podman run this image and the rest of it is just sort of details so that's everything that we're doing right there it's really not that scary once you have looked at every single option individually I'm just going to hit enter here it's going to pull that down from Docker it's grabbing that image in multiple chunks it calls them blobs and once it has all of those it starts a Docker image it starts a podman container that is and it spits out this long ID number like I said if you didn't say dash dash name then you would need to use this ID number in the later commands when we're telling podman to do different things to this container now at this point Vault Warden is actually running in that container and we can run podman PS and it's named after the regular PS command it's listing the processes sort of in podman I'm not a huge fan of this command I wish it was called podman list because that's what I always try to type but podman PS is going to show you all of your containers that are running and you see this is the container ID it's the beginning of that ID that was spit out right here like I said at the end we see we did assign The Vault word and name here and you can see what's running inside of that container currently that container is running start.sh because it started Vault Warden and that was specified as part of the image definition on the docker image just so you know if you ever need to see containers that are stopped you can run podman PS Dash a to see all containers if you don't use Dash a you'll only see ones that are currently running so keep that in mind and also do take note at the end here are ports section for this is empty once again because we didn't explicitly forward any ports we can't explicitly forward any ports because we're using the host Network all ports are just going to be shared between the host and the container if you did use that Dash p option and you used it properly and you're not using the host Network then this would probably be where that shows up so we have Vault Warden running how do we actually get to it well let's set up that Apache reverse proxy let's get some SSL set up here at this point I think if we actually go to example.netstreet.com colon 8080 we might actually be able to connect to it yeah you can see it's saying it's only a plain HTTP website so Vault Warden is running but you do not want to set up your account when you haven't set up https yet so stop right there we're going to install Apache and use let's encrypt to set up some TLS so in order to do this we're going to do an apt install Apache 2 certbot and Python 3 certbot Apache it's going to grab some dependencies for us and you may already have some of this installed or all of it installed if you're already running other websites on the same system so that is all installed now and I've made a video in the past just talking about Apache virtual hosts we're going to make a virtual host for this application so that's going to be at Etsy Apache 2 sites available vaultwardin.conf so we're going to come in there and we're going to specify this as a virtual host if somebody connects to any IP address that is owned by the server if they connect to it on Port 80 then this virtual host is potentially going to be available now we are going to specify server name example.nerd in thestreet.com so once again if you're running more than one application or more than one website on the same server the server name is how Apache is going to determine which application to actually send traffic on Port 82 it's going to say well did this person connect on example.netthestreet.com if they did send that traffic to Vault warden so we'll go ahead and save that that's an extremely Bare Bones configuration we didn't actually tell Apache where to send any traffic yet because we don't even want to send traffic anywhere if it's on Port 80 we want to upgrade that to TLS so let's go ahead let's enable that really blank configuration A2 Insight Vault Warden and Apache will let us know that in order to activate that configuration we need to reload Apache 2 so we'll do that so at this point if we go to example.netstreet.com without any port once again it's just going to be plain HTTP and it is going to be the Apache default page because we didn't tell Apache what to do with that traffic yet we just told it to listen on that domain name so we're going to rectify that right now we're just going to run certbot dash dash Apache this is how easy it is to get an SSL certificate these days we'll enter in our admin email address for Renewal reminders it should usually be taken care of manually but if it's not that will let you know I will agree to the terms of service I will not sign up for their mailing list and which name would you like to activate https for number one is example.net onthestreet.com so I could hit enter right now just to select everything I'm just going to type in one for fun there and it's going to request that certificate the reason why let's encrypt requires a domain name is because they actually verify it goes to that domain name verifies that the server is in control of that domain name and once that is done as you can see certbox goes ahead and sets up all the Apache configuration to support that SSL certificate so if we come back over here to this default page if I refresh it now it's secure you see the uh the slash through the lock icon went away this is now an https website so SSL is now set up properly now we can go ahead and get this to forward over to Vault Warden we're going to do that by opening up the file that they just told us they created right here certbox created it for us so we're going to Nano into that Apache configuration file it's just whatever you named it the first time they add on dash Le Dash SSL at the end of the file name there so if we come in here you can see it wrapped all of this inside of an if module statement I'm just going to clean up the indentation here real quick just to make this look a bit nicer alright so now you can see what's going on a little bit easier so so if SSL is not installed on the system if the Apache SSL module isn't installed or enabled then Apache will just ignore this configuration gracefully but if it is installed and enabled then we'll get into this if block and this time we're saying if anybody connects to the server on any IP address at Port 443 then we are going to go ahead and if the server name matches we're going to connect securely using this SSL certificate file we've got the public key we've got the private key and we're just including some other options that certbot is taken care of for us to enable SSL now at the bottom here once we are all connected up and it doesn't actually matter what order the things in this file they're in or at least in this section but once we are connected via SSL we are going to add in some more configuration once again I'm going to just paste this from my website but we'll walk through it real quick we're saying we want to turn on the rewrite engine to rewrite URLs and where traffic is going this websocket stuff here this is saying that if any client if a web browser or one of the bit Warden apps attempts to access example.nerdindustry.com notifications slash Hub and then anything else after that we're actually going to take that traffic and we're going to pass it as websocket traffic to localhost colon 3012 so that's actually a second Port that Vault warning is listing on and if you are using a more complicated network setup and you want notifications to work properly that would be another Port you have to worry about manually forwarding after that though we are going to just proxy pass anything else that is on this domain name example.netofthestreet.com whatever it's going to go to localhost colon 8080 once again on the Local Host this is HTTP traffic once it gets to the server Apache decrypts it and then sends it over to the Vault Warden container Vault Warden sends its stuff back to Apache Apache encrypts it with TLS before sending it back to the client so it's all secure from a public point of view these are just a few more options we need for all of the proxying to work properly so we are going to go ahead and save that file now for that configuration to work properly we do need to enable a couple more Apache modules so we're going to A2 in mod proxy underscore HTTP for the HTTP traffic proxy underscore WS tunnel for the websocket traffic headers is going to allow Apache to rewrite the headers of that traffic so that the Vault Warden application doesn't get confused when it's getting traffic forwarded to it through a third-party Apache so we'll go ahead and run that and at this point we've got updated configuration we've also got new modules that we just enabled and you can reload Apache to load new configuration in but since we actually enabled some new modules we can't just reload it we actually need to restart it so we'll go ahead and do that system CTO restart Apache 2 and it failed okay let's see what happened here it's weird that it's got all of the spaces specified there um let me go ahead maybe that's the issue here was it just the configuration that I put in let's try backspacing and then putting those spaces in manually we'll see if that changes the error message that we get system CTR restart Apache 2. now it's complaining about rewrite rule okay yeah so this was not an issue with the instructions that I gave you guys uh this was actually an issue with my website when I copied the spaces it actually didn't copy them as spaces so that's unfortunate but that threw a little kink in the video there so I will make sure to fix my website so that it actually works when you copy and paste the code before I publish it for the time being though I'm just going to manually go ahead and correct all of these just so that we can move forward here this looks ridiculous on video it looks like I'm just taking away spaces and putting them right back all right so once again you will not have that last issue if you're following along with this at home uh system CTO restart Apache 2. okay it worked that time we can do a system CTL status Apache 2 and we see that it is indeed running and now if we go back to our example.net in thestreet.com if we refresh this now we get vault Warden we didn't have to specify any port number and it is running securely with SSL so that is what it takes to get vault Warden running I don't think it actually took me that long it was like 10 commands or so it was not not that much that we had to do we didn't really have to do any configuration other than Apache now when you first access bit Warden or vault Warden you can see it's going to ask you some information to get yourself registered so we can go ahead and create our first account here I'm going to put Jacob at nerdonthestreet.com as my example name Jacob Kaufman and the master password here once again this is what's going to encrypt the rest of your passwords so you do want this to be very secure they say right here it can not be recovered if you forget it because it's encrypting everything else there's nowhere they could possibly back that up safely so I'm just going to try and type in a pretty secure password right here it says it's weak uh what if I add some numbers and okay so I'm just going to add password one one two exclamation points just for my example here they still say it's a weak password you should keep going until this bar is all the way up on your own system and then you can't actually say what it is in your hint they don't let you do that all right so I'm going to click create accounts it warns me that the password is weak but we can go ahead and continue anyway and you can log in right here and you can put that password in and you can actually just start using Vault Warden right here you will notice that they're using the Vault Warden logo instead of the bit Warden logo that was a somewhat recent change they made just with the web clients but we can go ahead and add an item just for the sake of example here in case you've never used a password manager before I can say example accounts and the username example username password you can actually type in if you've already created accounts this was something I was worried about when I went to set up a password manager you can click this button to generate a random password but you do not have to do that if you want to make your own password still you absolutely can I can type in an example password and it's going to remember that one for me if you've got two-factor authentication enabled for a website you can actually paste that key in and it will actually give you the the two-factor authentication codes the one-time passcodes right here in the same app personally I'm still using a separate app to keep track of those once again just to not put all my eggs in the same basket security wise but you can also put notes in if you put a URL and it will actually get the favicon and put it next to the entry in your password list and then custom Fields is another one I use a lot for email if I create an account on a website and I've got the username that I normally sign in with I might also want to remember which of my dozen email addresses I use to sign up so you can put in you know Jacob at example.com for instance if this is a very sensitive password you can choose to always require entering the master password in before it will actually let you see any of this information if you don't have that enabled if you've got the desktop app installed for instance once you enter the master password it normally doesn't reprompt you for that until something like 10 or 15 minutes have passed but I can go ahead and save that we've got that now I can just really easily copy the password I can paste it in anywhere that I want to URL bar is a bad place to paste it in of course and just to demonstrate also if we take the actual official bit Warden desktop application once again I think this is an electron application certainly looks like electron to me but we can do about bit Warden and this is not a vault Warden application this is the actual bit Warden application that the original bit Warden company makes Now by default this application is going to sign into bit warden's managed server so we've got our own custom server to connect to that just go to the settings and you need to do this on the mobile app as well go to the settings and just enter in the address of your bit Warden server or your Vault Warden server so we'll type in example.nerdthestreet.com right there we don't need to do any of this other stuff it's going to generate all of this automatically correctly from the server URL so just hit save and we can type in Jacob nerdonthestreet.com and what was the password I just set the master password it was password one one exclamation exclamation right that's right so now we are signed in and we've got our example account you know anything that you do in one of these will reflect in the other one so you can access it from all of your your phones your computers um and then you can if you're away if you're borrowing a computer obviously you want to be careful about what devices you're entering that master password in on but if you're using a different computer that you do trust but you don't have the app installed on you can get to it really easily through the website um and one other feature I just want to call out before we actually finish up the setup is the organizations feature if we go to new organization this is really useful if you've got more than one person on your server and you want to share some passwords between them for example on my server I've got a family organization the email address doesn't matter too much for this but I can go ahead and create that organization and now I've got this other collection of passwords that I can have so let's say we've got a family Amazon account for instance um I can put in the username and password for that I'll just generate one this time you must select at least one collection so I do have to come down here and check a box to put it in the default collection default collection is not the default unfortunately but now we've got shared accounts so if we go back here you've got the passwords that you own personally that nobody else can see and you've also got shared passwords that more than one person on your server can access you can think of all the ways that this is just a really convenient system I really have been having a good time using this back here on the desktop app we can reload this enter our master password again and you can see once again we've got our personal collection and we've got our shared accounts so Vault Warden is installed and it is working great however there's one more piece you need to worry about because if you actually reboot your server right now you'll notice that Vault Warden stops working we have not configured Vault Warden to actually start up by default yet um Apache like we just saw in that status the Apache service is enabled and it is you know it's enabled by default we still have it enabled so Apache is going to start up it's going to be ready to forward the traffic as soon as you boot your server app however Vault ward in the container and the application in the container it won't actually be running yet if you reboot but don't worry because like I said podman is actually pretty easy to integrate with systemd and that's what we're about to do we're going to create a systemd service to start this container for us now podman actually has a command built in that you can use to generate a systemd service file automatically the command for that is podman generate system D Dash Dash name will give it the name of the container which is Vault Warden and then dash dash files and what this is going to do is generate a systemd unit file it's a DOT service file right here in the current directory and we can go in there and inspect that so this is podman's automatically generated sort of recommended unit file to control this container now as you can see in here all this is doing is basically running podman start and podman stop when the service starts and stops and if you want to go ahead and use this automatically generated service file you can do that by moving that from the current directory into Etsy systemd system after you put it in there you would do systemctl Daemon reload and then you would enable and start it just like a normal system D service however I'm actually not going to use that automatically generated file and the reason why is because that service file does not do everything that I actually wanted to do when it comes to starting and stopping containers now I'm going to go back out here there was a jump in the video I just want to show you the current ID of the container her since I have removed and recreated it since the last cut so if I do podman ps-a you can see we've got a container right now it is currently up as of two minutes ago and the current container ID starts with 06ba and if we take a look in this service file the PID file process ID file for that container it is hard coded to the ID of the container now what that means is that if we were to remove this container and recreate it then ideally to have everything match we would have to go into this container service and update that container ID like I said earlier one of the things you want to aim for when you're working with containers is to not actually have anything important inside of this container the container is where the application is running but any persistent data you want to have outside of the container and one of the reasons why that is is because it's very easy if you do that to then update your applications because all that you have to do to update is remove this container pull the new image and then start the container again I'll show you how to do that at the very end of this video but for now this automatically generated service file this does not do everything that I would recommend what I'm going to show you how to do is instead of just stopping the container when you stop the service we're actually going to completely remove the container every time we stop the service and we're going to recreate the container every time we start it another problem with the service file is if you were to say stop the service and then go into podman and manually you know podman remove the container name then you try to start the service again that is not going to work because if the container doesn't already exist if it's not already there and stopped and waiting to be started podman start Vault Warden is not enough information for podman to actually spin up a new container you know we had that big long podman run command earlier that contains all of the necessary information but the systemd service file this would only work once again to stop and start a container that already exists and if something takes that container off of the computer if anybody removes that container if it's ID changes you know if anything about that container is no longer in that state waiting to be started this automatically generated service file will not work so I'm going to go ahead and remove that and I am going to create my own here and I'm going to show you exactly what I'm putting into that now I'm going to name it the same thing that the auto-generated one is named that's container Dash Vault Worden dot service and you can name it whatever you want you can name it just vaultwarden.service if you want I like to prefix the container Dash I think that was a good idea on podman's part to do that for the auto generated one simply so that I know when I'm dealing with container services very obviously that they are container services but I'm going to go into there this is now a blank file because we're writing our own unit file and I'm going to paste in this unit file once again all the text for this is on the website so check the description of the video for the link and this was based on the auto generated file so a lot of this stuff is very similar for the description I'm saying this is a podman container it's the Vault warning container the documentation if you need documentation on how to work with the application behind the service you would check the man page for podman we obviously we want the network to be up and this service cannot start until the network is online so we have those dependencies under the unit section here and at the bottom of the file the install section is once again exactly the same as the auto generated one if we enable this service so that it starts automatically we want it to start automatically when the multi-user target is running or when the default Target is running now on most systems these are going to be the same if you're running a server your default Target is probably going to be a multi-user Target however at least here on digitalocean if I do a system CTL get default to check the default Target that is graphical.target for some reason even though here on a server we don't have any graphical application to start we don't have a GUI installed on the server but the graphical Target I happen to know it calls the multi-user Target anyway so if your default Target happens after multi-user but it depends on multi-user then the service is going to start when multi-user starts otherwise if your default is something earlier than multi-user it would start when the default starts so that's all this same as the auto-generated stuff now what I actually changed in this service file is everything under the service section and it looks a little bit more complicated but once again I think it's actually simpler the way that this works so the type of the service is still forking this was the default and it is correct for what we're doing because when we run podman run remember we passed that Dash D for demon so it's not going to sit there and tie up a terminal it's going to Fork into a new process so we need the type to be set appropriately in order for systemd to keep track of the process for the service after it Forks we want to store the process ID in a PID file now percent T is basically a shorthand for the Run directory so this is going to store it in slash run slash percent capital in is the name of the service not including the extension so container Dash Vault warden.pid that is where the pit file is going to be stored we're going to restart this service on failure timeout when we're stopping it is 70 seconds it should clean up by then if it doesn't system D should assume that it doesn't need to sit there and wait for it now I've put some comments in here so you can see exactly what is in this service file so everything under this line our Command that systemd is running in the background when you start or stop this service we've got an environment variable we're always going to pass in for these commands that is podman system D unit equals once again container Vault Warden and you know that should be a lowercase n I think so that podman knows the entire name of the unit file that is a DOT service file so I'll go ahead and change that while we're going through it here down here we've got exact start pre so when we start this service we're going to run this command first that is going to be remove we're going to dash F that's force that means we're not going to give an error if these files don't exist if they don't exist just silently move on if they do exist though we want to remove them once again we're forcing so regardless of what their permissions are and the two files that we're removing are that PID file up here and the container ID file which is another one that we'll specify in the next commands to be create created the reason why I have this exact start pre here is because sometimes things happen your server May shut off in the middle of operation unexpectedly there may be a power failure you know you may have a crash at the kernel level there's something like that so sometimes Services don't stop cleanly if we end up in a state where either of these files exist but the service is stopped we're going to need to start the service again and we don't want it to fail just because these things exist so basically this is a little bit of preliminary cleanup that would only take effect if the service was not stopped properly before so that's exact start pre and then exact start here this is the command that we actually want to run when we start this service and this is what will be run automatically if we have this service enabled when we boot the system and it reaches one of The Wanted by targets now once again this is a very long command here but it's actually the exact same command that I showed you before to start this manually on the command line I just added a few things right at the beginning this is the only new stuff that is inserted and I put it at the front so you can see it a little bit easier we're doing our same podman run command we do need to specify the path to podman since systemd doesn't run commands in a shell so user bin podman run we're passing dash dash replace this is telling podman once again if there's already a container named Vault Warden replace it don't fail you know we only ever want one container named Vault Warden and it's this one so if there's already a container named Vault Warden just remove that other one start a new one with the same name we're passing Dash Dash kanman pitfile kanman is container monitoring or connection monitoring and we're telling podman that when we start this container up we want a process ID file created in that same spot that we told systemd to look for it so slash run slash container Dash Vault warden.pid once again all the percent signs here those are just systemd placeholders to make the text in the file a little shorter and so if you rename the service file you don't have to go and update in every single place what it's going to be called but basically this is going to be pod man just creating a text file file with the process ID so that systemd can then read that text file and then keep track of if the application started by the service is still running or not later we're also passing dash dash CID file that's container ID and the file suffix that podman uses by default is not DOT CID it's dot container ID ctr-id personally I would have gone with DOT CID if I was writing this from scratch just because it's more consistent with PID I don't know if it's because they wanted to make it extra clear this is keeping track of a container and not a c group or something else that starts with the letter c but you can name this whatever you want as long as you use the same suffix in the rest of the commands that reference it once again this is going to be a text file containing the container ID the podman container ID of the container that's the random ID that's assigned when we create the container that I've shown you a couple of times now so that's the only new stuff and then we just continue on with all of the same arguments we already went over earlier in the video so we're going to run this podman run command to both create and start the the container every single time we start this service now when the service stops we're going to do a few things to clean up I have three commands here the first one I used exact stop for and the second two I have exact stop post that I'm using instead now it sounds on the surface like the only difference between these should be that exec stop post happens after exact stop but that's actually not the case in fact you can have multiple exec stop commands and you can have multiple exec stop post commands and they'll just run in order one after another system D will wait for one to finish before starting the next one so you can make all three of these theoretically exact stop or you can make all three of them exact stop posts you don't even have to have one or the other in here at all now I've got the podman stop command here under exact stop number one because the default podman generated file that we saw a few minutes ago used regular exact stop for that for another thing to me it just feels kind of semantically correct to at least stop something when we actually run stop on a service with systemd but we're saying when we stop this service we're going to run podman stop Dash I is for ignore that means that if the container was already stopped say that you went in there as an admin and you ran the podman stop command manually when you then later go and run the systemctl stop command we don't want that to fail if the container is already stopped it should really succeed when it sees that it's not there so podman stop Dash I will not give an error from podman to system D if the container is already stopped and then systemd will give you an error Dash T10 that's going to say we're going to give it 10 seconds to stop when we tell it to stop it should not take longer than 10 seconds even a slower running web operation if you're actively using the application at the time should take less than 10 seconds and then the application should be able to exit cleanly and then we're going to pass in dash dash CID file and then the path to that container ID file that we specified we were creating it up here and we're referencing it down here no notice that we do not have the name of the container in this stop command anymore we're not saying podman stop Vault Warden we're saying podman stop the exact container ID that we started earlier and then down here like I said I stopped kind of halfway in the middle of that explanation the difference between exec stop and exact stop post is not actually the ordering it's more under what conditions systemd is going to run these commands so exact stop is going to be run if you run system CTL stop on a service and that service was marked by systemd as having started correctly if systemd says this service is running properly then it will go ahead and run exec stop then it will run exec stop post however many of each that you have now sometimes you try to start a service and it doesn't work maybe podman gave an error message back for some reason in that case when you run systemctl start on the service systemd is going to say the service failed to start now if you run systemctl stop in that state it will actually skip exec stop because it never finished starting in the first place however it will run exec stop post regardless of if it started successfully or not that is actually the semantic difference between exec stop and exec stop Post in case you were ever curious about that but after we've stopped the container we are going to go ahead and whether the service had started successfully or not if we run stop on the service we not only want to stop a container we want to remove it entirely so we're running podman remove dash I once again to ignore if the container is already gone just keep going we're going to do Dash F so if the container is actually running we're still going to force that container to stop and remove it just in case this stop command didn't finish or anything like that or in case the service wasn't a half-started state and podman didn't run exec stop and once again we are not going to use the name Vault word in we are going to use the CID file to stop the exact container ID that systemd started earlier which is mainly just a little bit better form so that you don't have to worry about what happens if you change the container's name later or anything like that and finally after we run that exec stop post command we've got a second execdot post command once again systemd will wait for this first one to finish before it moves on to the next one and and we are going to remove that container ID file it's important that systemd waits for this first one to stop because we at least want to start that operation we need to reference that container ID file so if you flipped these two commands around if this file doesn't exist then this command would fail so we don't want to remove it until after we've run that podman remove command we're going to remove that text file containing the container ID now the podman documentation as I read it states that the container ID file will be removed by the podman remove command at least if you do it by referencing the CID file in fact the way that I read the podman documentation it sounds like podman remove should always remove the CID file even if you reference it by name as long as you created it with this dash dash CID file that should be stored somewhere in the container's metadata and podman removed should clean it up in my testing on Debian 11 I do not see podman cleaning up the container ID file it leaves that container ID file behind and really you don't need this exact stop post command because next time we start this service systemd is going to check if it's there and remove it if it's still there once again if you don't have either of these if that container ID file is still there and you don't have systemd clean it up at all podman will fail here when you tell it to use a CID file location that already exists but I'm just being extra thorough I want to clean it up for sure when we stop the container it just seems correct to me to not have an extra file laying around for a container that doesn't exist anymore however we do still also want to check for it and remove it before we start once again just in case the server powered off or something like that in this exact stop post didn't get run but that's what I'm doing here for this systemd service and I'm going to show you exactly why I'm doing it this way once again at the very end of the video I'll show you how to update bit Warden it's super easy to update a container if you write your system D service this way setting it up this way is item potent or at least it's very consistent in Behavior whether you have a container running or not if you mess with a container separately from the service every time you run system CTO start or stop you know exactly what state you're going to end up in you're either going to have a container running by the end of that or it's going to be completely gone so that is what I would recommend once again all of that text is in the website in the description of this video so that is the service file that I'm going to use I've got it right there so I'm going to move container Vault Warden into Etsy systemd system and then I'm going to do a system CTL Daemon reload now just for good form here I am going to check before I start that service up if I do a podman PS once again we can see our container is currently running so I'm going to do podman stop Vault word in and then podman remove Vault warden so we're going to do a podman ps-a you can see there are no containers at all none that are running none that aren't running podman has nothing running right now so we're going to run systemctl status container Dash Vault Warden dot service and you're going to see some logs in there from when I was testing this earlier but most most importantly at the top here you will see that this service is currently disabled and it is currently inactive it's not running so we are going to run systemctl start container Dash Vault warden.service and then we're going to do a systemctl status container Vault Warden we'll see that it is now running and if we check podman PS we see that we have a running container notice the container ID is different if we do systemcto restart container Vault warden.service it's going to stop and then start that service again which is going to destroy and recreate the container so after restarting that service podman PS shows a different container ID that's not a problem at all because once again all of our data for Vault Warden is stored in the slash Vault word and data directory that we created earlier and in our mariadb database all of that is outside of the container so we can remove that container and put it back all day long we don't lose any data okay and now we're going to do systemctl enable container vault warden.service it's going to create those Sim links once again in both multi-user and default.target so whichever one of those targets starts first in our case it's going to be multi-user.target when that Target is going to start it's going to require this service to start before it says that it's done starting now that we've done that I'm going to do a systemctl reboot on this server and that is going to timeout our SSH session so I'm going to come back over here I've got another web browser window and we're just going to wait like a minute here and after we've waited a few seconds a minute to make sure that this server has restarted and we've given it time to have systemd boot the server up and start that container service for us I can go to example.netonthestreet.com again and I'm going to go there and you're going to see it's running we just rebooted the server and it is running I can go ahead and log in with the uh account that I created before there we are I got the password wrong on the first try but we are back in here and if we log back into that server once again the server is freshly booted we can do a systemctl status container of Vault Warden we see that it's running we can do a podman PS PS right there we see the container is running once again all right in the very last part to this video I could just stop right now and you would be very happy with a vault Warden server that starts up on boot on your server however you might be scratching your head when it comes to how to update that application because we told podman to run a Docker image our podman run command ended with the name of the docker image which was Vault Warden server called in latest if you stop and remove and restart your container a couple of times using that same command you'll notice that you don't see all of those downloading blobs lines after the first time that you run it podman is going to grab the required image the first time that we reference it but it is going to cache that image it's going to save it on the local server so it doesn't have to download an entire image of the application every single time that you start it you don't want that to happen every time you boot your server up and systemd starts that container it's just going to use the image that's already locally stored when it creates that container so how do you get podman to actually update that locally stored image that's going to be very simple and in fact since it's been about a week since I did the first part of this video we might actually get to see this actually work here otherwise these commands will just do nothing but whenever you want to check for updates and or install updates you can check for updates on Docker Hub on their website but you can install updates with systemctl stop containervault warden.service and then all we have to do to update that local container image is run podman pull and then the same URL Docker colon slash slash Vault Warden slash server colon latest when we run this podman is going to check Docker Hub as you can see it looks like we actually did copy one blob some of the blobs were already up to date so it is sort of a differential update if I run that again podman poll Docker okay no it appears that this was a zero byte download and the blob IDs are the same so it's going to check the metadata for those blobs but basically you can run this at any point it's good to stop the container run it and then start the container again because that updated image won't actually go into effect until the container has been started with it but this podman pull command you only need to run it once when you're doing this it will check Docker Hub and if this image has been updated it will update your local image on this system to match then you just run systemctl start container Vault Warden again and we can run systemctl status container Vault Warden you don't have to append dot service at the end here since there are no other types of units with the same name that is optional but that is it the the system is going to update the application inside of that container will be up to date after you do that so that is it that is everything you need to know to not only set up a vault Warden server but to actually administer The Vault Warden server I would recommend if you're running this in production with other people that you go ahead and set up an SMTP system actually getting an SMTP host setup is outside of this video's scope but if you know your SMTP address and credentials you can put that stuff in just by adding Dash e to that podman run command inside of your systemd unit file just right next to the other Dash e options that we already passed just to suggest a Next Step once again if you've got other people on the server who might submit password hint requests or things like that similarly there is an environment variable you can pass signups allowed if you want to disable new signups if you're running a private server and you don't want just anyone on the internet to be able to register a new account you will still be able to send signups From the Vault Warden interface to people that you do want to have accounts after you disable it like that and just to show you really fast if you go to your domain name slash admin here that is going to ask you to enter your admin token that's is the one that we passed as part of the podman command once again in one of those environment variables after you enter that in you also have options to disallow new signups or set your SMTP settings it will actually save those in a config file so you don't have to use those environment variables anymore if you'd rather do it that way so let me know down in the comments once again it's been a while since I've made a video I hope that this video was helpful to you guys and I hope that it was coherent if you have any questions you can leave them in the comments section below you can go to discord.nots.co or irc.nots.co to chat you can go to nerdinthestreet.com and leave a comment there you can also watch the videos there or you can leave a post on my forums if you have any more complex questions about your setup and I want to give a huge huge shout out to all of our nerd club members who have been sticking with me on the nerd Club at nerdclub.nots.co you can go here and join for just three dollars a month and I have one time sign up options if you don't like recurring things like I said I just took a sort of long break to finish school last year and I do still have about 15 people here hanging on on the patreon it does cost money to host the website and to keep mirrors of the video up just in in case they ever get removed from YouTube and things like that so please consider joining that if you found this video helpful for now though thank you guys for watching I'm Jacob kauf and I'm the nerd in the street and I'll see you guys in the next one bye [Music]
Info
Channel: Nerd on the Street
Views: 8,428
Rating: undefined out of 5
Keywords: nerdonthestreet, jacob, kauffmann, jacobgkau, Bitwarden, Vaultwarden, Bitwarden-RS, Rust, password manager, open-source, open source, self-hosted, self hosted, installation, server, setup, set up, install, how to, tutorial, guide, walkthrough, organizations, premium, family, families, organization, free, paid, paid features, C#, Docker, Podman, container, encrypted, sync, cloud, self-host, self host
Id: V8nc9SDzY44
Channel Id: undefined
Length: 66min 25sec (3985 seconds)
Published: Fri Feb 03 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.