Bitwarden 是一个开源的密码管理器解决方案,拥有多平台客户端。它采用的方式是云端数据库、客户端同步和离线使用的模式,类似现在的 1password。vaultwarden 是一个使用 Rust 编写的非官方 Bitwarden 服务器实现,它与官方的任意平台上的客户端兼容。bitwarden_rs 项目现已更名为 vaultwarden,本文基于 Debian 10 部署安装。
编译安装
安装依赖
apt -y update
apt -y install wget curl git build-essential pkg-config libssl-dev libsqlite3-dev安装 Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env编译安装 vaultwarden
wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.21.0.tar.gz
tar xzf 1.21.0.tar.gz
cd vaultwarden-1.21.0
cargo build --features sqlite --release注意:这里我为了方便维护和管理使用的是sqlite数据库,二进制文件位于target/release/vaultwarden
编译大约需要5分钟,完成后复制二进制文件到 /usr/bin 目录下并赋予执行权限:
cp target/release/vaultwarden /usr/bin/vaultwarden
chmod +x /usr/bin/vaultwarden接下来创建用于存放数据的工作目录并安装web-vault,工作目录为/data/vaultwarden
mkdir /data/vaultwarden && cd /data/vaultwarden
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.20.4/bw_web_v2.20.4.tar.gz
tar -xzvf bw_web_v2.20.4.tar.gz注意:由于编译编译web-vault需要至少1.5G内存,这里我就直接用作者预编译好的 web-vault
创建.env配置文件:vi vaultwarden.env
写入如下配置:
SIGNUPS_ALLOWED=true
SIGNUPS_DOMAINS_WHITELIST=uskvm.com
INVITATIONS_ALLOWED=false
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=127.0.0.1
WEBSOCKET_PORT=3012
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=8000
DOMAIN=https://vault.uskvm.com创建systemd服务:vi /etc/systemd/system/vaultwarden.service
写入如下配置:
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=root
Group=root
EnvironmentFile=/data/vaultwarden/vaultwarden.env
ExecStart=/usr/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/data/vaultwarden
ReadWriteDirectories=/data/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target设置vaultwarden开机自启:
systemctl daemon-reload
systemctl enable vaultwarden.service
systemctl restart vaultwarden.service创建nginx站点配置文件
通过二级域名访问
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /usr/local/nginx/conf/ssl/uskvm.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/uskvm.key;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/root.crt;
server_name vault.uskvm.com;
access_log /data/wwwlogs/vault.uskvm.com_nginx.log combined;
error_log /data/wwwlogs/vault.uskvm.com_nginx_error.log error;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8000;
}
}最后由于客户端太丑,域名匹配等问题,我没有使用bitwarden,仍然使用1password作为密码管理器。
