Bitwarden is a highly sensitive security application managing 100 and more passwords. It is not a good idea to have this application require additional permissions to communicate with other applications. I rather take this as a worrying indication that the development of Bitwarden is turning into a bad and sad and wrong direction. Just a moment of praise for this product's compatibility. I have Bitwarden extensions installed on: Windows Chrome at work. Linux Chromium at home. Safari on a Macbook. Various Android tablets. I have never once had any issues on any of these platforms. The website vault (vault.bitwarden.com). Javascript html bootstrap angular typescript bitwarden TypeScript GPL-3.0 298 1,792 99 16 Updated Apr 16, 2021.
Będzie po angielsku bo może przyda się światu. ;)
Short instruction how to run Bitwarden service on home Qnap NAS.
Install „Container Station” on your Qnap. On the left panel of” Container Station” click on „Create” button and then on „Create Application” in upper right corner of window. In the text input field put content of the following listing and name this new application „bitwarden”.
Accept it and run. What you have really done is Docker Compose YAML configuration file which pulls 3 images from Docker Hub server:
- bitwarden_rs – an unofficial Bitwarden server implemented in Rust language,
- nginx – web server required here as proxy for HTTPS requests,
- bw_backup – a docker image running cron job to backup bitwarden database.
and runs containers of them inside „Container Station”.
You should pay particular attention to the ports configuration, line with „580:80” and „5443:443” frases. „580” and „5443” are outside ports which are open on the Qnap itself. You can change to whatever fits for you but don’t use 80, 443 or 8080 because they are already taken by Qnap own services.
Before you run freshly created application (that’s Qnap Container Station’s name for docker-compose GUI) SSH log into Qnap and go to application folder:
Now, you must create configuration for nginx:
Save it as nginx.conf to /share/Container/container-station-data/application/bitwarden/data/nginx folder.
Now, you have to create self signed certificate to encrypt HTTP requests with SSL. To do this log in to Qnap with SSH and run following commands:
In this repo you’ll find two interesting files: data/ssl/bitwarden.ext:
and script called create_ssl.sh:
You can edit data/ssl/bitwarden.ext to make cert generating easier. Look at this lines:
and this:
Warning: your certificate will be valid only for above domains. I use Pi-hole local DNS to redirect bitwarden.fubar to my QNap IP address.
OK, run create_ssl.sh script and follow instructions. At the and you will find whole new structure of folders with files in ssl directory.
Copy certs and private folders to /share/Container/container-station-data/application/bitwarden/data/ssl.
Now, start Bitwarden application:
Open web browser and go to the URL like: https://bitwarden.fubar:5443, remeber to change domain to same value as in DNS.1 for ssl.
You should see Bitwarden login page:
Time to install and use Bitwarden clients on desktops (macOS, Linux, Windows) and mobiles (Android, iOS) but before you’ll do it first go back to SSH session on you Qnap and copy „myCA.crt” file on your computer.
This file is, root CA certificate that will make your Bitwarden clients think that certificate used to connect is valid even it is self signed by you.
Install CA certificate on every host you use with Bitwarden client:
macOS – double click on CRT file and it will open in Keychain Access, add it to System keychain and choose „Always Trust” option,
Linux (Debian/Ubuntu)- https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate
If your CA is in PEM format convert .pem file to a .crt file:
- Create a directory for extra CA certificates in
/usr/share/ca-certificates:
2. Copy server_rootCA.crt file to this directory:
3. Let Debian/Ubuntu add the .crt file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
3a. To do this non-interactively, run:
Windows – don’t use it.
Bitwarden Edge Chromium Extension
Firefox – go to Preferences -> Privacy & Security -> View Certificates. Click Import, then choose PEM/CRT file, select „Trust this CA to identify websites.”
Chrome – in macOS it uses Keychain so you don’t need to add it again. For Linux check this website: https://thomas-leister.de/en/how-to-import-ca-root-certificate/. Quick hint: go to Settings -> Privacy & Security -> Security -> Manage Certificates and Import.
Warning! Original Bitwarden Desktop client use chromium sandbox so you HAVE TO install CA certificate into Chromium!!!
When CA certificate is in right place the last thing is:
before you connect every Bitwarden client must „know” the right address of Bitwarden server.
Edge Chromium Bitwarden
Run client and click gear icon:
then put your server address in 4 fields:
- Server URL
- Web vault server URL
- API server URL
- Identity server URL
Remember to put it in the following form: https://my.ip.address:myport, in case your server has IP 10.0.0.1 and port 5443 it should be: https://10.0.0.1:5443 like in image below. If you use domain name (as me) you should replace IP with domain:
Now, there’s time to create account, you can do it pointing browser to the very same URL as used above: https://10.0.0.1:5443.
It’s all now ready to use.
Few steps to consider:
- store database backup somewhere outside Qnap,
- import data from another password manager,
- set up VPN connection to Qnap to synchronize database when you outside.
UPDATE:
How to update docker images?
- ALWAYS MAKE BACKUP OF YOUR VAULT!!! Export it in JSON from Bitwarden client.
- go to your QNap, run FileStation and zip full content of you application data folder:
Bitwarden Edge Chromium Autofill
- stop application in ContainerStation, remove it. Go to Images tab and pull new version of images: bitwardenrs/server, bruceforce/bw_backup and nginx:1.15-alpine.
- create application as written at the beginnign of this article, don’t run it
- unzip content of previously backup data folder (configuration for nginx, ssl, vault and vault’s backup).
- run application.
Related posts: