Here is how to install Bitwarden_rs on Debian 10 with MYSQL support

Below I will be writing how to install and configure Bitwarden_rs to work with MYSQL without the need for Docker.


Install required softwre

Not everything below is required, but I like to install it anyway

apt install -y tmux
tmux
apt install -y build-essential git pkg-config libssl-dev libmariadb-dev-compat libmariadb-dev htop curl wget

Install Rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Choose 1) Proceed with installation (default)

To configure your current shell, run the following or disconnect then reconnect to the SSH session

source $HOME/.cargo/env


Install Node

mkdir /opt/node
cd /opt/node
wget https://nodejs.org/dist/latest-v11.x/node-v11.15.0-linux-x64.tar.xz
tar xJvf node-v11.15.0-linux-x64.tar.xz
ln -s /opt/node/node-v11.15.0-linux-x64 /opt/node/current
for f in $(ls -1 /opt/node/current/bin/); do ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done

Compile with MYSQL Backend

mkdir /opt/bitwarden_rs
cd /opt/bitwarden_rs
wget https://github.com/dani-garcia/bitwarden_rs/archive/1.19.0.tar.gz
tar xzvf 1.19.0.tar.gz
cd bitwarden_rs-1.19.0
cargo build --features mysql --release

This will put the bin in the target/release/bitwarden_rs file


Now it’s time for the web vault

cd target/release
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1/bw_web_v2.18.1.tar.gz
tar xzvf bw_web_v2.18.1.tar.gz

It is now completed you should be good to copy the /opt/bitwarden_rs/bitwarden_rs-1.19.0/target/release to where ever you want to run it


Now it’s time to configure the systemd unit

nano /etc/systemd/system/vaultdomaincom.service

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
# If you use a database like mariadb,mysql or postgresql, 
# you have to add them like the following and uncomment them 
# by removing the `# ` before it. This makes sure that your 
# database server is started before bitwarden_rs ("After") and has 
# started successfully before starting bitwarden_rs ("Requires").

# Only sqlite
#After=network.target

#MariaDB
After=network.target mariadb.service
Requires=mariadb.service

# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service

# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service


[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden
Group=bitwarden
# The location of the .env file for configuration
EnvironmentFile=/home/bitwarden/vault.domain.com/.env
# The location of the compiled binary
ExecStart=/home/bitwarden/vault.domain.com/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
##ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/home/bitwarden/vault.domain.com/
ReadWriteDirectories=/home/bitwarden/vault.domain.com/
# Allow bitwarden_rs to bind ports in the range of 0-1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Now we will start the daemin

systemctl daemon-reload
systemctl enable vaultdomaincom --now

NGiNX Block

nano /etc/nginx/conf.d/vault.domain.com

server {
    listen 80;

    server_name vault.domain.com;
    return 301 https://vault.domain.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name vault.domain.com;

  ssl_certificate            /etc/nginx/ssl/vault.domain.com/fullchain-crt;
  ssl_certificate_key        /etc/nginx/ssl/vault.domain.com/key;

  error_log /var/log/nginx/vault.domain.com_error.log;
  access_log /var/log/nginx/vault.domain.com_access.log;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:4756;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3658;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:4756;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    auth_basic "Private";
    auth_basic_user_file /etc/nginx/passwd/bwAdmin;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:4756;
  }
}

Now configure .env file

nano /home/bitwarden/vault.domain.com/.env

DATABASE_URL='mysql://vaultusername:sqlpasswd@localhost:3306/dbName'
#ADMIN_TOKEN='supersecret'
#DOMAIN='https://vault.domain.com'
#SMTP_HOST=mx.domain.com
#SMTP_FROM=vault@domain.com
#SMTP_PORT=587
#SMTP_SSL=true
#SMTP_USERNAME=vault@domain.com
#SMTP_PASSWORD='smtp_passwd'
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658

As always this isn’t a 100% from start to finish, this is more of a template on how to do some of the things that I would forget when doing.