-
Notifications
You must be signed in to change notification settings - Fork 79
Installation
Bitwarden installation optimized for Google Cloud's 'always free' e2-micro compute instance
Note: if you follow these instructions the end product is a self-hosted instance of Bitwarden running in the cloud and will be free unless you exceed the 1GB egress per month or have egress to China or Australia. I talk about best practices to help avoid China/AUS egress, but there's a chance you can get charges from that so please keep that in mind.
This is a quick-start guide. This project was originally discussed here.
Before you start, ensure you have the following:
- A Google Cloud account
- A domain name or DDNS account
- Cloudflare is principally supported in this documentation
- Any ddclient-compatible dns provider is supported: see DDNS
Note: If you are using a f1-micro instance (before August 2021), see here for instructions to migrate to e2-micro
Google Cloud offers an 'always free' e2-micro
tier of their Compute Engine with one virtual core and ~600 MB of RAM (about 150 MB free depending on which OS you installed). Vaultwarden runs well under these constraints; it's written in Rust and an ideal candidate for a micro instance.
Go to Google Compute Engine and open a Cloud Shell. You may also create the instance manually following the constraints of the free tier. In the Cloud Shell enter the following command to build the properly spec'd machine:
$ gcloud compute instances create bitwarden \
--machine-type e2-micro \
--zone us-central1-a \
--image-project cos-cloud \
--image-family cos-stable \
--boot-disk-size=30GB \
--tags http-server,https-server \
--scopes compute-rw
You may change the zone to be closer to you or customize the name (bitwarden
), but most of the other values should remain the same.
Next, create firewall rules to allow traffic to your VM. Bitwarden only serves encrypted traffic over HTTPS, but port 80 is needed for the Let's Encrypt challenges served by Caddy:
$ gcloud compute firewall-rules create bitwarden-http-ingress --action allow --target-tags http-server --rules tcp:80
$ gcloud compute firewall-rules create bitwarden-https-ingress --action allow --target-tags https-server --rules tcp:443
Enter a shell on the new instance and clone this repo:
$ git clone https://github.com/dadatuputi/bitwarden_gcloud.git
$ cd bitwarden_gcloud
Set up the docker-compose alias by using the included script:
$ sh utilities/install-alias.sh
$ source ~/.bashrc
$ docker-compose version
Docker Compose version v2.23.0
Copy the provided .env.template
to .env
. This file is self-documented and requires certain values such as a domain name, Cloudflare API tokens, etc.
- Configure Backup
- Configure
fail2ban
(optional) - Configure Country-wide Blocking (optional)
- Configure Automatic Rebooting After Updates (optional)
To start up for the first time, use docker-compose
:
$ docker-compose up
You should see the caddy service attempt to use ACME to auto-negotiate a Let’s Encrypt SSL cert. After some time, it should complete its negotiation and issue you a certificate.
Confirm that you can now use your browser to visit your personal Vaultwarden instance at wherever your DOMAIN
env var is set. If you have issues, look at the log that docker-compose
is logging to the console.
If you run into issues, such as containers not starting, the following commands will be helpful:
-
docker ps
- this will show what containers are running, or if one of them has failed -
docker-compose logs <container name>
- this will show the recent logs for the container name (or all containers if you omit the name) and is very useful in troubleshooting
For a pure Cloudflare approach, see this issue.