{"id":22685819,"url":"https://github.com/hellodword/vaultwarden-less","last_synced_at":"2025-03-29T15:20:49.725Z","repository":{"id":265801557,"uuid":"811639325","full_name":"hellodword/vaultwarden-less","owner":"hellodword","description":"Run and backup vaultwarden rootless, distroless and CVE-less","archived":false,"fork":false,"pushed_at":"2025-02-10T05:12:29.000Z","size":72,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-03-24T05:37:03.725Z","etag":null,"topics":["bitwarden","bitwarden-backup","bitwarden-rs","vaultwarden","vaultwarden-backup"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hellodword.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-07T02:13:35.000Z","updated_at":"2025-02-10T05:12:33.000Z","dependencies_parsed_at":"2024-12-03T09:15:08.189Z","dependency_job_id":null,"html_url":"https://github.com/hellodword/vaultwarden-less","commit_stats":null,"previous_names":["hellodword/vaultwarden-less"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fvaultwarden-less","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fvaultwarden-less/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fvaultwarden-less/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fvaultwarden-less/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hellodword","download_url":"https://codeload.github.com/hellodword/vaultwarden-less/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246201123,"owners_count":20739702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitwarden","bitwarden-backup","bitwarden-rs","vaultwarden","vaultwarden-backup"],"created_at":"2024-12-09T22:17:44.689Z","updated_at":"2025-03-29T15:20:49.679Z","avatar_url":"https://github.com/hellodword.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vaultwarden-less\n\nRun and backup vaultwarden rootless, distroless and CVE-less.\n\n## features\n\n- [x] trigger backup on change\n- [ ] hardening docker images\n  - [ ] service:vaultwarden\n    - [ ] distroless\n    - [x] nonroot\n    - [x] healthcheck\n    - [ ] CVE-less\n  - [x] service:trigger\n    - [x] ~~distroless~~ (maybe, because I use bash scripts in it, but I distroless it for fun)\n    - [x] nonroot\n    - [x] healthcheck\n    - [ ] CVE-less (hard, becase I use prebuilt restic in it, I can compile it with the latest Go version, but the dependencies are always vulnerable)\n\n## how it works\n\nBitwarden applies all changes to the vaultwarden database, making it possible to backup on each change. I used `inotifywatch`, it works, but it's not graceful and can be buggy at times.\n\nIn `vaultwarden-less`, I created a [trigger](./cmd/trigger/main.go) that acts as a reverse proxy before vaultwarden. This way, all requests that change the database trigger the [scripts/backup](./scripts/backup), and report results via the [scripts/notify](./scripts/notify)\n\n\u003e [!CAUTION]\n\u003e Currently, this setup is for personal usage. There is a lock in the [trigger](./cmd/trigger/main.go), so it doesn't handle too many concurrent changes well.\n\n## how to use\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e\nClick if you're running this on an IPv6-only EC2\n\u003c/b\u003e\u003c/summary\u003e\n\n```sh\n# enable IPv6 support of docker\n# https://docs.docker.com/config/daemon/ipv6/\nsudo vim /etc/docker/daemon.json\n# {\n#   \"ipv6\": true,\n#   \"fixed-cidr-v6\": \"2001:db8:1::/64\",\n#   \"experimental\": true,\n#   \"ip6tables\": true\n# }\nsudo systemctl restart docker\n\n# enable GitHub/ghcr.io IPv6 proxy (shame on you GitHub!)\n# https://danwin1210.de/github-ipv6-proxy.php\nvim /etc/hosts\n# 2a01:4f8:c010:d56::2 github.com\n# 2a01:4f8:c010:d56::3 api.github.com\n# 2a01:4f8:c010:d56::4 codeload.github.com\n# 2a01:4f8:c010:d56::5 objects.githubusercontent.com\n# 2a01:4f8:c010:d56::6 ghcr.io\n# 2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com\n```\n\nEdit the `docker-compose.yml`\n\n```diff\n+ networks:\n+   wan:\n+     enable_ipv6: true\n+     driver: bridge\n+     ipam:\n+       config:\n+         - subnet: 192.168.234.0/24\n+         - subnet: fd5f:c26e:7746:f664::/64\n\n\n   vaultwarden:\n+     networks:\n+       - wan\n+     sysctls:\n+       - net.ipv6.conf.all.disable_ipv6=1\n     hostname: vaultwarden\n     logging:\n       driver: \"local\"\n\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e\nClick if you don't trust ghcr.io and want to build the images by yourself\n\u003c/b\u003e\u003c/summary\u003e\n\nEdit the `docker-compose.yml`:\n\n```diff\n           memory: 128M\n-    image: ghcr.io/hellodword/vaultwarden-less-trigger:latest\n-    # build:\n-    #   context: .\n-    #   dockerfile: ./docker/distroless-trigger.Dockerfile\n+    # image: ghcr.io/hellodword/vaultwarden-less-trigger:latest\n+    build:\n+      context: .\n+      dockerfile: ./docker/distroless-trigger.Dockerfile\n     env_file:\n```\n\n\u003c/details\u003e\n\n---\n\n1. clone repo\n\n```sh\ngit clone --depth=1 https://github.com/hellodword/vaultwarden-less\n\ncd vaultwarden-less\n```\n\n2. prepare directories and chown for nonroot distroless container\n\n```sh\nmkdir -p data git-backup restic-cache\nsudo chown -R 65532:65532 git-backup data restic-cache\n```\n\n3. replace the [scripts/backup](./scripts/backup) and [scripts/notify](./scripts/notify) with your own scripts or executables\n\nI use git, [restic](https://github.com/restic/restic) and [bark](https://github.com/Finb/bark) in my scripts, but you can replace them to anything, and make sure they'll be working with [distroless-trigger](./docker/distroless-trigger.Dockerfile).\n\nThe [scripts/backup](./scripts/backup) receives no arguments and should be secure (DoS not considered). The [scripts/notify](./scripts/notify) receives one argument, which is the notification message, although I format the URIs in the source code, **but you should still be cautious**.\n\n4. customize the vaultwarden features\n\n\u003e \u003e See https://github.com/dani-garcia/vaultwarden/blob/main/.env.template\n\n```sh\nvim .env.vaultwarden\n```\n\n5. customize the trigger configuration\n\n\u003e \u003e edit the `exclude_path`, see the regexp syntax https://pkg.go.dev/regexp/syntax\n\n```sh\nvim config/trigger.json\n```\n\n6. expose the trigger (`127.0.0.1:8080`) to the world\n\nI'm using Nginx and Cloudflare, but you can use any tools and services you prefer.\n\n7. start\n\n```sh\ndocker compose down -t 360\n\ndocker compose up --build --pull always -d\n```\n\n## ref\n\n- distroless: https://github.com/hellodword/distroless-all\n- CVE-less\n  - https://github.com/aquasecurity/trivy\n  - https://docs.docker.com/scout/\n  - https://www.chainguard.dev/unchained/migrating-a-node-js-application-to-chainguard-images\n  - https://www.chainguard.dev/unchained/reducing-vulnerabilities-in-backstage-with-chainguards-wolfi\n  - https://www.chainguard.dev/unchained/zero-cves-and-just-as-fast-chainguards-python-go-images\n- httputil.ReverseProxy\n  - https://blog.joshsoftware.com/2021/05/25/simple-and-powerful-reverseproxy-in-go/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellodword%2Fvaultwarden-less","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhellodword%2Fvaultwarden-less","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellodword%2Fvaultwarden-less/lists"}