Skip to content

Setup as a systemd service

Jump to bottom Edit New page
mqus edited this page Dec 28, 2019 · 14 revisions

These instructions require you to have compiled the bitwarden_rs binary. If you generated a docker image, you may want to look at Running with systemd-docker

Setup

Making bitwarden_rs start on system startup and use the other facilities of systemd (e.g. isolation, logging,...) requires a .service file. The following is a usable starting point:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
# If you use a database like mariadb,mysql or postgresql, 
# you have to add them like the following and uncomment them 
# by removing the `# ` before it. This makes sure that your 
# database server is started before bitwarden_rs ("After") and has 
# started successfully before starting bitwarden_rs ("Requires").

# Only sqlite
After=network.target

# MariaDB
# After=network.target mariadb.service
# Requires=mariadb.service

# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service

# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service


[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden_rs
Group=bitwarden_rs
# The location of the .env file for configuration
EnvironmentFile=/etc/bitwarden_rs.env
# The location of the compiled binary
ExecStart=/usr/bin/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/var/lib/bitwarden_rs
ReadWriteDirectories=/var/lib/bitwarden_rs
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Change all paths to match your installation (WorkingDirectory and ReadWriteDirectory should be the same), name this file bitwarden_rs.service and put it into /etc/systemd/system.

If you have to change an existing systemd file (which was provided to you by the package you installed), you can add your changes by using

$ sudo systemctl edit bitwarden_rs.service

To make systemd aware of your new file or any changes you made, run

$ sudo systemctl daemon-reload

Usage

To start this "service", run

$ sudo systemctl start bitwarden_rs.service

To enable autostart, run

$ sudo systemctl enable bitwarden_rs.service

In the same way you can stop, restart and disable the service.

Updating bitwarden_rs

After compiling the new version of bitwarden_rs, you can copy the compiled (new) binary and replace the existing (old) binary and then restart the service:

$ sudo systemctl restart bitwarden_rs.service

Uninstalling bitwarden_rs

Before doing anything else, you should stop and disable the service:

$ sudo systemctl disable --now bitwarden_rs.service

Then you can delete the binary, the .env file, the web-vault folder (if installed) and the user data (if necessary). Remember to also remove specially created users,groups and firewall rules (if needed) and the systemd file.

After removing the systemd file you should make systemd aware of it via:

$ sudo systemctl daemon-reload

Logging and status view

If you want to see the logging output, run

$ journalctl -u bitwarden_rs.service

or to see a more concise state of the service, run

$ systemctl status bitwarden_rs.service

Troubleshooting

Sandboxing options with older systemd versions

In RHEL 7 (and debian 8), the used systemd does not support some of the used isolation options. (#445,#363) This can result in one of the following errors:

Failed at step NAMESPACE spawning /home/bitwarden_rs/bitwarden_rs: Permission denied

or

Failed to parse protect system value

To work around this you can comment out some or all of these settings by putting a # in front of the lines containing PrivateTmp, PrivateDevices, ProtectHome, ProtectSystem and ReadWriteDirectories. While commenting out all of them will probably work, it's not recommended as these are security measures which are good to have. To see which options your systemd supports, look at the output of

$ systemctl --version

to determine your systemd version and compare with systemd/NEWS.md.

After editing your .service file, don't forget to

$ sudo systemctl daemon-reload

before (re-)starting your service.

More information

For more information on .service files, see the manpages of systemd.service and (for the security configuration) systemd.exec

Add a custom footer

FAQs

  1. FAQs
  2. Audits

Container Image Usage

  1. Which container image to use
  2. Starting a container
  3. Updating the vaultwarden image
  4. Using Docker Compose
  5. Using Podman

Deployment

  1. Building your own docker image
  2. Building binary
  3. Pre-built binaries
  4. Third-party packages
  5. Deployment examples
  6. Proxy examples
  7. Logrotate example

HTTPS

  1. Enabling HTTPS
  2. Running a private vaultwarden instance with Let's Encrypt certs

Configuration

  1. Overview
  2. Disable registration of new users
  3. Disable invitations
  4. Enabling admin page
  5. Disable the admin token
  6. Enabling WebSocket notifications
  7. Enabling Mobile Client push notification
  8. Enabling U2F and FIDO2 WebAuthn authentication
  9. Enabling YubiKey OTP authentication
  10. Changing persistent data location
  11. Changing the API request size limit
  12. Changing the number of workers
  13. SMTP configuration
  14. Translating the email templates
  15. Password hint display
  16. Disabling or overriding the Vault interface hosting
  17. Logging
  18. Creating a systemd service
  19. Syncing users from LDAP
  20. Using an alternate base dir (subdir/subpath)
  21. Other configuration

Database

  1. Using the MariaDB (MySQL) Backend
  2. Using the PostgreSQL Backend
  3. Running without WAL enabled
  4. Migrating from MariaDB (MySQL) to SQLite

Security

  1. Hardening Guide
  2. Fail2Ban Setup
  3. Fail2Ban + ModSecurity + Traefik + Docker

Backup

  1. General (not docker)

Other Information

  1. Importing data from Keepass or KeepassX
  2. Backing up your vault
  3. Differences from the upstream API implementation
  4. Supporting upstream development
  5. Caddy 2.x with Cloudflare DNS
Clone this wiki locally