I did a massive bitwarden_rs to vaultwarden rename so you might have to do a little different then what this says!!

Here is how to install vaultwarden on Debian 10 with MYSQL support

Below I will be writing how to install and configure vaultwarden to work with MYSQL without the need for Docker.


Install required softwre

Not everything below is required, but I like to install it anyway

apt install -y tmux
tmux
apt install -y build-essential git pkg-config libssl-dev libmariadb-dev-compat libmariadb-dev htop curl wget

Install Rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Choose 1) Proceed with installation (default)

To configure your current shell, run the following or disconnect then reconnect to the SSH session

source $HOME/.cargo/env


Install Node

mkdir /opt/node
cd /opt/node
wget https://nodejs.org/dist/latest-v11.x/node-v11.15.0-linux-x64.tar.xz
tar xJvf node-v11.15.0-linux-x64.tar.xz
ln -s /opt/node/node-v11.15.0-linux-x64 /opt/node/current
for f in $(ls -1 /opt/node/current/bin/); do ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done

Compile with MYSQL Backend

mkdir /opt/vaultwarden
cd /opt/vaultwarden
wget https://github.com/dani-garcia/vaultwarden/archive/1.19.0.tar.gz
tar xzvf 1.19.0.tar.gz
cd vaultwarden-1.19.0
cargo build --features mysql --release

This will put the bin in the target/release/vaultwarden file


Now it’s time for the web vault

cd target/release
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1/bw_web_v2.18.1.tar.gz
tar xzvf bw_web_v2.18.1.tar.gz

It is now completed you should be good to copy the /opt/vaultwarden/vaultwarden-1.19.0/target/release to where ever you want to run it


Now it’s time to configure the systemd unit

nano /etc/systemd/system/vaultwarden.service

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden

After=network.target mariadb.service
Requires=mariadb.service

[Service]
# The user/group vaultwarden is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden
Group=bitwarden
# The location of the .env file for configuration
EnvironmentFile=/home/bitwarden/vault.domain.com/.env
# The location of the compiled binary
ExecStart=/home/bitwarden/vault.domain.com/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate vaultwarden from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/home/bitwarden/vault.domain.com/
ReadWriteDirectories=/home/bitwarden/vault.domain.com/

[Install]
WantedBy=multi-user.target

Now we will start the daemon

systemctl daemon-reload
systemctl enable vaultwarden --now

NGiNX Block

nano /etc/nginx/conf.d/vault.domain.com

server {
    listen 80;

    server_name vault.domain.com;
    return 301 https://vault.domain.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name vault.domain.com;

  ssl_certificate            /etc/nginx/ssl/vault.domain.com/fullchain-crt;
  ssl_certificate_key        /etc/nginx/ssl/vault.domain.com/key;

  error_log /var/log/nginx/vault.domain.com_error.log;
  access_log /var/log/nginx/vault.domain.com_access.log;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:4756;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3658;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:4756;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    auth_basic "Private";
    auth_basic_user_file /etc/nginx/passwd/bwAdmin;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:4756;
  }
}

Now configure .env file

nano /home/bitwarden/vault.domain.com/.env

DATABASE_URL='mysql://vaultusername:sqlpasswd@localhost:3306/dbName'
#ADMIN_TOKEN='supersecret'
#DOMAIN='https://vault.domain.com'
#SMTP_HOST=mx.domain.com
#[email protected]
#SMTP_PORT=587
#SMTP_SSL=true
#[email protected]
#SMTP_PASSWORD='smtp_passwd'
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658

As always this isn’t a 100% from start to finish, this is more of a template on how to do some of the things that I would forget when doing.


Portwarden is great for backing up and restoring bitwarden/vaultwarden with attachments.

Below is a quick rundown from their page on how to use it

# If you are running self hosted instance, execute `bw config server https://MYSERVER.COM`
portwarden --passphrase 1234 --filename backup.portwarden encrypt
portwarden --passphrase 1234 --filename backup.portwarden decrypt
# RESTORE IS EXPERIMENTAL!! YOU MAY LOSE YOUR DATA
# IF YOU RESTORE TO YOUR MAIN ACCOUNT
# PLEASE MAKE SURE YOU KNOW WHAT YOU ARE DOING

# Please use a **spare** account for restoring backup
# Portwarden doesn't handle conflicts therefore a
# separate account is needed

# In fact we setup a check to make sure the account your
# are restoring to does not have any data in it
portwarden --passphrase 1234 --filename backup.portwarden restore