自建 bitwarden 密码管理服务
毋修为
记录一下自建 bitwarden 密码管理服务,通过 Ubuntu 基于 docker搭建bitwarden 密码管理服务:
安装docker
# 直接通过官方脚本安装
$ wget -qO- get.docker.com | bash
安装docker-compose
$ curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
# 国内安装docker-composer的话使用下面命令下载会更快些
$ curl -L "https://get.daocloud.io/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
# 如果是国内VPS或服务器上使用docker建议将仓库设置为国内的,这样拉取镜像时会更快
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": [
"https://hub-mirror.c.163.com",
"https://dockerhub.azk8s.cn",
"https://reg-mirror.qiniu.com"
]
}
EOF
# 启动docker并设置为开机启动:
$ systemctl start docker
$ systemctl enable docker
部署 bitwarden_rs
$ cd ~ && mkdir bitwarden && cd bitwarden
$ cat > ~/bitwarden/docker-compose.yml<<EOF
version: "3"
services:
bitwarden:
image: vaultwarden/server
container_name: vaultwarden
restart: always
ports:
- "127.0.0.1:8087:80" #将宿主机8087端口映射到docker的80端口
- "127.0.0.1:3012:3012"
volumes:
- ./bw-data:/data
environment:
WEBSOCKET_ENABLED: "true" #是否开启WebSocket
SIGNUPS_ALLOWED: "true" #是否开启注册,自用的话自己搭建好注册后改成false
WEB_VAULT_ENABLED: "true" #是否开启Web客户端
# ADMIN_TOKEN: " #后台登陆密码,建议openssl rand -base64 48 生成ADMIN_TOKEN确保安全,当前是没启用,如需启用去掉ADMIN_TOKEN前面的 # ,并生成安全密码
EOF
# 启动 bitwarden
$ cd ~/bitwarden
$ docker-compose up -d // 如果报错,参考下面添加用户组
$ docker-compose down #关闭服务
$ docker-compose restart #重启服务
添加用户组
如果报错:
ERROR: Couldn’t connect to Docker daemon at http+docker://localunixsocket - is it running?
If it’s at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
正确的是将当前用户加入docker组
$ sudo gpasswd -a ${USER} docker
# 然后退出当前用户比如切换为root,再次切换为当前用户。然后执行 `docker-compose up -d` 就ok了。
设置 nginx
location / {
proxy_pass http://127.0.0.1:8087;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8087;
}
location /admin {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8087;
}
bitwarden_rs升级
bitwarden_rs 更新是很频繁的,建议隔段时间升级一下:
$ cd ~/bitwarden
$ docker-compose down
$ docker pull vaultwarden/server:latest
$ docker-compose up -d
备份到 Google Drive
-
安装
rclone,参考文档 github$ curl https://rclone.org/install.sh | sudo bash -
设置
rclone config, 参考文档 https://rclone.org/drive$ rclone config # 将本地目录复制到云端 $ rclone copy /xxx/bw-data remote:xxx -
设置定时任务
$ crontab -e # 这一步是编辑 cron job 的命令 -
添加定时任务
# 每天凌晨两点备份一次 0 2 * * * rclone copy ~/bitwarden/bw-data remote:bitwarden/bw-data
恢复备份
# 将云端恢复到本地目录
$ rclone copy remote:xxx /xxx/bw-data
# 重启生效
$ docker-compose restart
类似资料: