Deploy Bitwarden on Docker Swarm

In this tutorial we’ll deploy Bitwarden on Docker Swarm. It’s based on an earlier tutorial on this site, where we deployed Docker Swarm on DigitalOcean.
Bitwarden is a password manager with support for self hosting. We’ll be using bitwarden_rs, an unofficial Bitwarden API server implementation, as it’s a fair bit faster than the default implementation. Bitwarden_rs is written in Rust and is compatible with the officla Bitwarden clients.
Bitwarden has the following features, among others:
- Open source
- Clients for Mac, Linux, Windows, iPhone, iPad and Android
- Support for 2FA, YubiKeys, etc
The tutorial assumes you have a Docker Swarm cluster running, and that you have root
access to your nodes.
Prepare Manager Node
Use ssh
to connect to your manager
node and create a directory where we’ll store our Bitwarden files, in this example we’ll use /var/swarm/bitwarden
(and /var/swarm/bitwarden/data
for data):
# mkdir -p /var/swarm/bitwarden/data
Configure Bitwarden Deployment
Configure Bitwarden by changing the docker-compose.yml
file below, making sure example.com
matches your domain name and potentially disabling signups:
# vim /var/swarm/bitwarden/docker-compose.yml
version: "3"
services:
bitwarden:
image: bitwardenrs/server
volumes:
- /var/swarm/bitwarden/data:/data
environment:
SIGNUPS_ALLOWED: "true" # set to false to disable signups
networks:
- proxy
deploy:
labels:
- traefik.enable=true
- traefik.backend=bitwarden
- traefik.backend.loadbalancer.swarm=true
- traefik.docker.network=proxy
- traefik.frontend.rule=Host:bitwarden.example.com
- traefik.port=80
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.browserXSSFilter=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.forceSTSHeader=true
- traefik.frontend.headers.SSLHost=bitwarden.example.com
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
placement:
constraints:
- node.role == manager
networks:
proxy:
external: true
For more configuration options, refer to the
bitwarden_rs
documentation.
Deploy Bitwarden
Finally, let’s deploy Bitwarden:
# docker stack deploy bitwarden --compose-file /var/swarm/bitwarden/docker-compose.yml
It’ll take a few seconds until Bitwarden is up and running. Once it is, visit bitwarden.example.com
to access the web interface.
Last Words
Would you like to know more about privacy, security and Docker? Here are some book recommendations:
- CompTIA Security+ All-in-One Exam Guide
- Hacking: The Art of Exploitation
- Docker: Up & Running: Shipping Reliable Containers in Production 2nd
- Docker Deep Dive
Audible has a fair amount of books on these topics and others. If you sign up using this link you’ll get 30 days for free!
If you don’t have a Docker Swarm cluster running already, I can recommend using DigitalOcean to host one. Using this link you’ll get $50 to spend on their services for 30 days. 😊
Revision
2019-11-04 Removed unnecessarily exposed ports and incorrect environment variable. Thanks mhaluska!