Vaultwarden NixOS - Install/Configure Server

by|inArticles||2 min read
Vaultwarden on NixOS
Vaultwarden on NixOS

Running your own password manager server may be not a good idea in the first place. You need to maintain a server, dependencies, etc. Furthermore, when under attack, you are on your own. Those are the drawbacks.

But on the other side, when a big provider - like Lastpass gets hacked, it raises a big concern. Personally, I am not a big fan of storing personal data on a third party server, it does not matter if it is encrypted or not. What if the provider decides to close you out of the service? In this case, an own server can be a good alternative. Especially when you can rely on the same technology as the service provider.

With Bitwarden and Passbolt we have two possible solutions to run an own server. Since I am not a big fan of PHP (and Passbolt is written in PHP), I prefer Bitwarden, or in this case Vaultwarden (Rust implementation of the Bitwarden API).

On NixOS we can run and configure the service easily, thanks to the great work of the open source community which is working on nixpkgs.

Installing Vaultwarden on NixOS

The installation is pretty simple. We just need to active the service, as we would do for instance with nginx:

services.vaultwarden.enable = true;

The only thing we need to do after is to build our configuration:

sudo nixos-rebuild switch

By default the server will run on the port 8000 on the local network (127.0.0.1). You can verify the installation by using the systemctl command:

sudo systemctl status vaultwarden

As well the valutlwarden service will be visible in htop.

Running Vaultwarden behind Nginx

It is highly recommended not to run vaultwarden directly on a public IP. Instead we run it behind Nginx. Hence, we keep the default settings of the vaultwarden service and configure the Nginx service as follows:

security.acme.defaults.email = "yourmail@example.com";
security.acme.acceptTerms = true;

services.nginx = {
    enable = true;
    
    # Use recommended settings
    recommendedGzipSettings = true;

    virtualHosts."bitwarden.example.com" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8000";
      };
    };
};

We use as well ACME to have a free SSL Certificate for our domain (or sub-domain). Pay attention that we forceSSL as well, so we can be sure to avoid MITM (man in the middle) attacks.

Thank you for reading this far! Let’s connect. You can @ me on Twitter (@debilofant) with comments, or feel free to follow. Please like/share this article so that it reaches others as well.

Related Articles

© Copyright 2023 - ersocon.net - All rights reservedVer. 402