starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #634] making bitwarden_rs production ready #429

New issue
Closed
opened 2026-03-03 01:29:02 +03:00 by kerem · 15 comments
kerem commented 2026-03-03 01:29:02 +03:00
Owner
Copy link

Originally created by @hboetes on GitHub (Sep 25, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/634

Hi there,

I just compiled and installed bitwarden_rs and it is a very nice implementation indeed. But could you make it ready for production, as in using a "make install" which installs all binaries, data files and config files and having a configuration file in /etc/bitwarden_rs

This will make deploying and using bitwarden_rs so much easier.

Thanks!

Originally created by @hboetes on GitHub (Sep 25, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/634 Hi there, I just compiled and installed bitwarden_rs and it is a very nice implementation indeed. But could you make it ready for production, as in using a "make install" which installs all binaries, data files and config files and having a configuration file in /etc/bitwarden_rs This will make deploying and using bitwarden_rs so much easier. Thanks!
kerem closed this issue 2026-03-03 01:29:02 +03:00
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@mqus commented on GitHub (Sep 25, 2019):

What you describe is mostly a packaging issue (e.g. should the binary be located in /bin or in /usr/bin ? should the files for the web interface be located in /usr/share/bitwarden_rs or some other directory? should the config be a file in /etc or in a subdirectory? What are the options one should enable in a systemd service, if systemd is available at all (e.g. the BSDs)?

Most of the answers to this depend on the Linux/BSD/Windows(?) flavor and can't easily be adressed in an upstream makefile. Therefore we have created some packages(see here) already and you are invited to do the same for your distribution/OS. Due to the static linking, packaging bitwarden_rs is relatively easy.

Another option many users prefer is the dockerfile (also described in the Wiki) but as I understand your issue, this is maybe not your goal.

<!-- gh-comment-id:534946221 --> @mqus commented on GitHub (Sep 25, 2019): What you describe is mostly a packaging issue (e.g. should the binary be located in `/bin` or in `/usr/bin` ? should the files for the web interface be located in `/usr/share/bitwarden_rs` or some other directory? should the config be a file in `/etc` or in a subdirectory? What are the options one should enable in a systemd service, if systemd is available at all (e.g. the BSDs)? Most of the answers to this depend on the Linux/BSD/Windows(?) flavor and can't easily be adressed in an upstream makefile. Therefore we have created some packages(see [here](https://github.com/dani-garcia/bitwarden_rs/wiki/Available-packages)) already and you are invited to do the same for your distribution/OS. Due to the static linking, packaging bitwarden_rs is relatively easy. Another option many users prefer is the dockerfile (also described in the Wiki) but as I understand your issue, this is maybe not your goal.
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

Ah yes, the arch linux file is nice to read: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=bitwarden_rs
Thanks for the heads up.

Let's see if I can create a debian/ubuntu .deb package based on that.

<!-- gh-comment-id:534964656 --> @hboetes commented on GitHub (Sep 25, 2019): Ah yes, the arch linux file is nice to read: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=bitwarden_rs Thanks for the heads up. Let's see if I can create a debian/ubuntu .deb package based on that.
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

Trying to build with the stable rustc doesn't work alas.

error[E0554]: #![feature] may not be used on the stable release channel
 --> /home/thorin/.cargo/registry/src/github.com-1ecc6299db9ec823/pear_codegen-0.1.2/src/lib.rs:1:1
  |
1 | #![feature(crate_visibility_modifier)]
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error[E0554]: #![feature] may not be used on the stable release channel
 --> /home/thorin/.cargo/registry/src/github.com-1ecc6299db9ec823/pear_codegen-0.1.2/src/lib.rs:2:1
  |
2 | #![feature(proc_macro_diagnostic, proc_macro_span)]
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<!-- gh-comment-id:534994286 --> @hboetes commented on GitHub (Sep 25, 2019): Trying to build with the stable rustc doesn't work alas. ``` error[E0554]: #![feature] may not be used on the stable release channel --> /home/thorin/.cargo/registry/src/github.com-1ecc6299db9ec823/pear_codegen-0.1.2/src/lib.rs:1:1 | 1 | #![feature(crate_visibility_modifier)] | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error[E0554]: #![feature] may not be used on the stable release channel --> /home/thorin/.cargo/registry/src/github.com-1ecc6299db9ec823/pear_codegen-0.1.2/src/lib.rs:2:1 | 2 | #![feature(proc_macro_diagnostic, proc_macro_span)] | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ```
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

Also having to use environment variable to pass on the configuration is rather clumsy:

Case in point, now I am running with this service file:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden_rs
Group=bitwarden_rs
# The location of the .env file for configuration
EnvironmentFile=/etc/bitwarden_rs.env
# The location of the compiled binary
ExecStart=/usr/bin/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/var/lib/bitwarden_rs
ReadWriteDirectories=/var/lib/bitwarden_rs
# Allow bitwarden_rs to bind ports in the range of 0-1024
# AmbientCapabilities=CAP_NET_BIND_SERVICE
PassEnvironment=DATABASE_URL ADMIN_TOKEN SHOW_PASSWORD_HINT DOMAIN ROCKET_ADDRESS ROCKET_PORT ROCKET_TLS SMTP_HOST SMTP_FROM SMTP_FROM_NAME SMTP_PORT SMTP_SSL
[Install]
WantedBy=multi-user.target

And after using systemctl start bitwarden_rs I get this log output:

Sep 25 16:37:44 thorin bitwarden_rs[13218]: unable to load Private Key
Sep 25 16:37:44 thorin bitwarden_rs[13218]: Can't open data/rsa_key.der for reading, No such file or directory

When I'm using exactly the same contents in my env file, which does work when I source it manually.

It would really be nice if bitwarden_rs would read the config file instead of using environment variables.

<!-- gh-comment-id:535058812 --> @hboetes commented on GitHub (Sep 25, 2019): Also having to use environment variable to pass on the configuration is rather clumsy: Case in point, now I am running with this service file: ``` [Unit] Description=Bitwarden Server (Rust Edition) Documentation=https://github.com/dani-garcia/bitwarden_rs After=network.target [Service] # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs # The location of the .env file for configuration EnvironmentFile=/etc/bitwarden_rs.env # The location of the compiled binary ExecStart=/usr/bin/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 # Isolate bitwarden_rs from the rest of the system PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=strict # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/var/lib/bitwarden_rs ReadWriteDirectories=/var/lib/bitwarden_rs # Allow bitwarden_rs to bind ports in the range of 0-1024 # AmbientCapabilities=CAP_NET_BIND_SERVICE PassEnvironment=DATABASE_URL ADMIN_TOKEN SHOW_PASSWORD_HINT DOMAIN ROCKET_ADDRESS ROCKET_PORT ROCKET_TLS SMTP_HOST SMTP_FROM SMTP_FROM_NAME SMTP_PORT SMTP_SSL [Install] WantedBy=multi-user.target ``` And after using systemctl start bitwarden_rs I get this log output: ``` Sep 25 16:37:44 thorin bitwarden_rs[13218]: unable to load Private Key Sep 25 16:37:44 thorin bitwarden_rs[13218]: Can't open data/rsa_key.der for reading, No such file or directory ``` When I'm using exactly the same contents in my `env` file, which does work when I source it manually. It would really be nice if `bitwarden_rs` would read the config file instead of using environment variables.
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@mqus commented on GitHub (Sep 25, 2019):

Why do you need PassEnvironment? systemd sets the environment based on the file it read in EnvironmentFile which should be set to your .env file

<!-- gh-comment-id:535140390 --> @mqus commented on GitHub (Sep 25, 2019): Why do you need `PassEnvironment`? systemd sets the environment based on the file it read in `EnvironmentFile` which should be set to your .env file
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

Because I keep getting:

Sep 25 20:51:17 thorin bitwarden_rs[28789]: 140640243388864:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('data/rsa_key.der','rb')
Sep 25 20:51:17 thorin bitwarden_rs[28789]: 140640243388864:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Sep 25 20:51:17 thorin bitwarden_rs[28789]: unable to load Private Key

And there is nothing suspicious about the ROCKET_TLS env var from the .env file.

ROCKET_TLS={certs="/etc/nginx/ssl/thorin.example.com.crt",key="/etc/nginx/ssl/example.com.key"}
<!-- gh-comment-id:535162654 --> @hboetes commented on GitHub (Sep 25, 2019): Because I keep getting: ``` Sep 25 20:51:17 thorin bitwarden_rs[28789]: 140640243388864:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('data/rsa_key.der','rb') Sep 25 20:51:17 thorin bitwarden_rs[28789]: 140640243388864:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Sep 25 20:51:17 thorin bitwarden_rs[28789]: unable to load Private Key ``` And there is nothing suspicious about the ROCKET_TLS env var from the .env file. ``` ROCKET_TLS={certs="/etc/nginx/ssl/thorin.example.com.crt",key="/etc/nginx/ssl/example.com.key"} ```
kerem commented 2026-03-03 01:29:03 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

I get that error message even when I remove ROCKET_TLS completely from the .env file???

<!-- gh-comment-id:535166283 --> @hboetes commented on GitHub (Sep 25, 2019): I get that error message even when I remove ROCKET_TLS completely from the .env file???
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@mqus commented on GitHub (Sep 25, 2019):

This is just a shot into the blue but systemd starts the service as the user bitwarden_rs, so the tls keys have to be readable for that user, are they (and all directories in the path)?

<!-- gh-comment-id:535182204 --> @mqus commented on GitHub (Sep 25, 2019): This is just a shot into the blue but systemd starts the service as the user `bitwarden_rs`, so the tls keys have to be readable for that user, are they (and all directories in the path)?
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@mqus commented on GitHub (Sep 25, 2019):

Ah no, the data/rsa_key.der file is not the tls key but is neccessary for bitwarden_rs to function at all and should be located under [bitwarden_rs data dir or working directory]/data/rsa_key.der. Bitwarden_rs will usually create this key when starting for the first time (i think) and for this the directories must be at least readable or creatable for the user bitwarden_rs.

In the case of archlinux, the directory /var/lib/bitwarden_rs is created on install and chmod/chown'd to bitwarden_rs. bitwarden_rs then has the rights to create the data directory and its own files.

EDIT: see here: https://aur.archlinux.org/cgit/aur.git/tree/bitwarden_rs.install?h=bitwarden_rs#n1

<!-- gh-comment-id:535185280 --> @mqus commented on GitHub (Sep 25, 2019): Ah no, the `data/rsa_key.der` file is not the tls key but is neccessary for bitwarden_rs to function at all and should be located under `[bitwarden_rs data dir or working directory]/data/rsa_key.der`. Bitwarden_rs will usually create this key when starting for the first time (i think) and for this the directories must be at least readable or creatable for the user `bitwarden_rs`. In the case of archlinux, the directory /var/lib/bitwarden_rs is created on install and `chmod/chown`'d to bitwarden_rs. bitwarden_rs then has the rights to create the data directory and its own files. EDIT: see here: https://aur.archlinux.org/cgit/aur.git/tree/bitwarden_rs.install?h=bitwarden_rs#n1
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 25, 2019):

Figured it out: I forgot to set DATA_FOLDER :-)
I haven't got a Debian port yet, but I did create a c4O port, which makes it easy to build from git and still get everything in the right place.

<!-- gh-comment-id:535190373 --> @hboetes commented on GitHub (Sep 25, 2019): Figured it out: I forgot to set DATA_FOLDER :-) I haven't got a Debian port yet, but I did create a c4O port, which makes it easy to build from git and still get everything in the right place.
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Sep 26, 2019):

Do I understand correctly that you managed to resolve all the issue and this can now be closed?

<!-- gh-comment-id:535392181 --> @mprasil commented on GitHub (Sep 26, 2019): Do I understand correctly that you managed to resolve all the issue and this can now be closed?
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 26, 2019):

I solved my own issues, but there is still no documentation on how to prepare bitwarden_rs for packaging. I think I'll write something this evening.
Ideally quite a few things would be implemented in code, making the life of packagers easier. Something like a make install target.

<!-- gh-comment-id:535399397 --> @hboetes commented on GitHub (Sep 26, 2019): I solved my own issues, but there is still no documentation on how to prepare `bitwarden_rs` for packaging. I think I'll write something this evening. Ideally quite a few things would be implemented in code, making the life of packagers easier. Something like a `make install` target.
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 26, 2019):

So this is a TLDR howto:

  • Get all the attached files and remove the .txt extension:
  • Adjust the file bitwarden_rs.env to your liking as described in that file.
  • Install rust, like described here: https://www.rust-lang.org/tools/install
  • Install all dependencies:
    apt/yum/whatever install nginx pkg-config libssl1.0-dev
  • Get certbot to get you a set of certificates for your host or whatever strikes your fancy.
  • Read the buildinstructions file or run it as a script
  • After that you end up with all the files you need in $PWD/fakedir
  • And then read the installinstruction file or run it as a script
  • After that you have a "complete package file" which you can install with:
    sudo tar xzf bitwarden_rs-*.tgz -C /

installinstructions.txt
bitwarden_rs.env.txt
buildinstructions.txt
nginx_config.txt
bitwarden_rs.service.txt

<!-- gh-comment-id:535657530 --> @hboetes commented on GitHub (Sep 26, 2019): So this is a TLDR howto: - Get all the attached files and remove the .txt extension: - Adjust the file `bitwarden_rs.env` to your liking as described in that file. - Install rust, like described here: https://www.rust-lang.org/tools/install - Install all dependencies: `apt/yum/whatever install nginx pkg-config libssl1.0-dev` - Get certbot to get you a set of certificates for your host or whatever strikes your fancy. - Read the buildinstructions file or run it as a script - After that you end up with all the files you need in `$PWD/fakedir` - And then read the installinstruction file or run it as a script - After that you have a "complete package file" which you can install with: `sudo tar xzf bitwarden_rs-*.tgz -C /` [installinstructions.txt](https://github.com/dani-garcia/bitwarden_rs/files/3659595/installinstructions.txt) [bitwarden_rs.env.txt](https://github.com/dani-garcia/bitwarden_rs/files/3659596/bitwarden_rs.env.txt) [buildinstructions.txt](https://github.com/dani-garcia/bitwarden_rs/files/3659597/buildinstructions.txt) [nginx_config.txt](https://github.com/dani-garcia/bitwarden_rs/files/3659598/nginx_config.txt) [bitwarden_rs.service.txt](https://github.com/dani-garcia/bitwarden_rs/files/3659599/bitwarden_rs.service.txt)
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Sep 30, 2019):

Thanks for that, I'm sure some people will find that helpful. I'm going to close the issue now.

<!-- gh-comment-id:536459431 --> @mprasil commented on GitHub (Sep 30, 2019): Thanks for that, I'm sure some people will find that helpful. I'm going to close the issue now.
kerem commented 2026-03-03 01:29:04 +03:00
Author
Owner
Copy link

@hboetes commented on GitHub (Sep 30, 2019):

Is the 'make install target' on some TODO list now? :-)

<!-- gh-comment-id:536526215 --> @hboetes commented on GitHub (Sep 30, 2019): Is the 'make install target' on some TODO list now? :-)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#429
No description provided.