Hello!
I am hoping someone can help me get this project across the finish line. I have a bitwarden account through work, but I want to migrate my personal database to self-hosted. I already have a duckdns site and forwarding set up in opnsense for a plex server, which works fine. I want to add a password manager to that same in-house server. First I spun up a bitwarden container, but realized that half the features I wanted are behind a paywall. Plus I like FOSS software (I have a dozen containers with Home Automation software on that same server), so I wanted to get into Vaultwarden.
I am stuck with the https requirement for initial user creation. I can get vaultwarden docker running with no reverse proxy and direct-to-container port forwarding through opnsense, though it’s currently disabled because I dont want to just leave it open until I get this all figured out. At first I wanted to avoid opening more ports for this project altogether because I usually just use wireguard to phone-home. No open ports is best security in my mind. But I understand now that these password managers like to phone home through SSL, so I might as well take this opportunity to learn about certificates and get it running. Would be nice to not have to click through that warning whenever I access my local services on my local LAN, too, I guess.
I get pretty far into the ‘official’ tutorials, but caddy is entirely new learning material for me. I’ve got it installed into the baremetal ubuntu that drives my server, though I suspect I didn’t need to do that since vaultwarden uses it in a container.
I’ve tried the Using Docker Compose · dani-garcia/vaultwarden Wiki guide part about “Caddy with DNS challenge”, but I get stuck at caddy. When I download the duckdns-added-version of caddy, it’s not just a “caddy” file, and when I make that downloaded file executable with chmod, it still wont run the way the next steps in the instructions say they should.
So then I think more about the ‘opening ports is better for the mobile app on WAN’, and I convince myself its ok to open a port or two for Vaultwarden and I think about using the guide part about " Caddy with HTTP challenge", but I get worried because it says it’s going to need ports 80 and 443 for the certificates, but my OPNSense firewall uses those in the anti-lockout firewall rules that I cannot modify. So I dont know that I can forward those ports over to the server/container.
Anyone willing/able to point me in the right direction to set up OPNSense so that it can give my vaultwarden instance an SSL certificate SAFELY? I am a bit lost in all the options. I see nginx being talked about, and that’s available as a container, but I also see it mentioned in OPNSense options, but I also see a LOT of warnings about security with nginx … and my head starts to spin. It’s too much to consume at once. Can someone point me in the right direction?
Thank you!