某小众邮箱必须要Passkey才能继续使用。没有YubiKey,捣鼓了半天想在浏览器中使用Windows Hello又一直不生效(可能设备/系统老旧),就很烦。
问了一圈似乎只有Bitwarden这一个方案,搞不懂为什么必须要有服务器端,多端数据同步有webdav就行了吧。
吐槽完毕,以上。
想法
自建选用的是星星比官方server更多的vaultwarden(前Bitwarden_rs)。
根据wiki#Which-container-image-to-use,选取的是最近一个版本的alpine镜像,1.35.2-alpine。
根据wiki#Backing-up-your-vault,关于数据的备份,可以写个脚本丢进crontab,脚本实现以下流程:
- 关闭镜像
- 将数据目录压缩
- 压缩包同步备份到其它地方
- 打开镜像
#!/bin/bash
docker-compose down
datestamp=$(date +%m-%d-%Y)
backup_dir="/home/<user>/vw-backups"
zip -9 -r "${backup_dir}/${datestamp}.zip" /opt/vw-data*
scp -i ~/.ssh/id_rsa "${backup_dir}/${datestamp}.zip" user@<REMOTE_IP>:~/vw-backups/
docker-compose up -d
这对于个人部署使用是足够的。
但是最后部署完毕之后,感觉只是一个人使用的话,可以直接在个人账户手动导出json文件即可。
关于初始设置,想法是启用admin,注册完自己的用户之后,在admin界面关闭注册、关闭邀请等等,保存后再nginx禁用掉/admin路径访问。
具体实现
其实也没啥好说的,一个镜像的事情。
- 下载镜像并运行
# openssl 生成admin token
# openssl rand -base64 48
docker pull vaultwarden/server:1.35.2-alpine
docker run --detach --name vaultwarden \
-e ADMIN_TOKEN=xxxxx \
--env DOMAIN="https://你的域名" \
--volume /path/to/your/vw-data/:/data/ \
--restart unless-stopped \
--publish 127.0.0.1:8000:80 \
vaultwarden/server:1.35.2-alpine
# 后续管理
docker stop vaultwarden
docker inspect vaultwarden
# docker rm -f vaultwarden
docker start vaultwarden
- 配置nginx
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8000;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
server {
# For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name 你的域名;
ssl_certificate $NixopsCert;
ssl_certificate_key $NixopsKey;
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# If you use Cloudflare proxying, replace $remote_addr with $http_cf_connecting_ip
# See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#nginx-1
# alternatively use ngx_http_realip_module
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden-default;
}
#location /admin {
# deny all;
#}
}