A mkosi-template for Vaultwarden

This is a mkosi-template for Vaultwarden. In order to set this up you need Mkosi >=5.

To build this, run sudo mkosi. This will create a new container in /var/lib/machines called vaultwarden. Next you should symlink the .nspawn-config to /etc/systemd/nspawn using sudo ln -s /var/lib/machines/vaultwarden.nspawn /etc/systemd/nspawn/.

After that you need to create the folders we mount into the image. This is /etc/vaultwarden and /var/local/vaultwarden. These should be owned by root, and have 700 set as permissions.

Then you need to copy etc/vaultwarden/vaultwarden.env to /etc/vaultwarden/, and set all your variables. You also need to create a database (using PostgreSQL). Lastly you need to set up a web-proxy - see the vaultwarden wiki for examples.

Now all you need to do is to run it - machinectl start vaultwarden. You can drop into the container to troubleshoot using machinectl shell vaultwarden, and you can view logs using journalctl -M vaultwarden from the host, or journalctl -u vaultwarden from inside the container.

Upgrading from “bitwarden-rs” to “vaultwarden”

Vaultwarden recently changed name from Bitwarden-RS to Vaultwarden, and a lot of files have been moved around. If you’ve been using this mkosi-template, this should be the upgrade-path:

$ sudo mv /etc/bitwarden_rs /etc/vaultwarden
$ sudo mv /etc/vaultwarden/bitwarden_rs.env /etc/vaultwarden/env
$ sudo mv /var/local/bitwarden_rs /var/local/vaultwarden
$ sudo chown -R 29033447:29033447 /var/local/vaultwarden/data

As you can see, some files have been moved around, and also we’ve set a more static UID for the vaultwarden-user.