Hero Image

How to setup alpine with ipv6 and vaultwarden NO DOCKER

I mostly just wanted to document this since everyone seems to want to use docker these days. I rather prefer a SEPARATE virtual machine dedicated JUST to my password manager, so I can really isolate it nicely from my other servers. As an added bonus, I also include directions on how to get alpine setup on ipv6 ONLY.

The most difficult part about setting alpine on ipv6 only is that its POORLY or WRONGLY documented on most of the internet. Mostly its just a simple matter of saying 'manual' network config, and not specifying and ip address or DHCP server. SLAAC should 'just work' so long as you put in an ipv6 nameserver! (like cloudflare's ipv6 1111 server) . Once that is done everything (except STUPID, BACKWARDS MICROSOFT owned github.com!) will work nicely. Since you are ipv6 ONLY, lots of old and crufty things will not work. Nice thing, is fewer foreign nationals scanning your server!

The second part is setting up bitwarden. You need to use the following commands:

apk add -y vaultwarden vaultwarden-web vaultwarden-doc caddy

Next part is getting vaultwarden to properly bind to ipv6. Most of the vaultwarden files live in /etc/conf.d/. I edit the vaultwarden.conf and change a few things (only changed things noted!)

export ROCKET_ADDRESS=::
# this MIGHT work if you want to bind to loopback ONLY!
#export ROCKET_ADDRESS=::?? TBD
## Web vault settings
export WEB_VAULT_FOLDER=/usr/share/webapps/vaultwarden-web
## ! enable this to true and install vaultwarden-web-vault to use it
export WEB_VAULT_ENABLED=true
export DOMAIN=https://<your fqdn>
## Invitations org admins to invite users, even when signups are disabled
export INVITATIONS_ALLOWED=true

You may need to do a bit more, the wiki explains most of the setup. I just wanted to explain the ipv6 part. Finally, to get 'automatic' https use the following caddy config:


<your fqdn website> {
        tls <youremailaddress>
        log {
                output file /home/caddy/logs/<YOURSITE>.log {
                        roll keep 7
                        roll_keep_for 14d
                }
                level debug
        }
        reverse_proxy localhost:8000 {
        }
}

Everything lives in /etc/conf.d in most cases, except for caddy which lives in /etc/caddy. I also recomend setting up netfilter with denies to port 8000 (eventually I will get the localhost thing working). Finally once you get things working start up the agents with service vaultwarden start and service caddy start . You might need a lot of configuration, I will update it as I get more experienced diong this.