"offline" vaultwarden container

Help
1

Hello

I would like to install vaultwarden on my qnap TS230.
I found some manuals how to do but all of the manuals make the docker/container station accessable from internet with a sub domain.

Is there a way to install vaultwarden without this?
I want only access “offline” when I’m at home.

I think if I’m not at home I can open bitwarden app (my vault) on Android or IOS without having physical access. In case that I add a new entry it will sync automatically if I start the biwarden app at home?
Or I’m wrong?

It would be great if someone can help a little bit.

Maybe some English manuals not so easy to understand for someone who English is not the native language.

Thanks in advance

2

Check this post

Regarding this section specifically,

This would not work as you expected. Bitwarden will not allow you to save offline, though you can read-only with the local cache.
I would recommend using a personal VPN to connect back to your house if you want that option, which imo works for a good balance of security and convenience.

3

Your idea sounds interesting. I think that it’s possible that you can definitely install Vaultwarden on your QNAP TS230 without exposing it to the internet. Well, the setup would involve configuring the Vaultwarden Docker container to run on your local network. This way, it’s accessible only when you’re connected to your home network.

4

Hi,

now i have a little bit more time to try to install vaultwarden.

sorry for maybe a lot of stuipd questions.

I found a manual from umireon on github thats say I have to create two shared folders vaultwarden and letsencrypt.
Then I have to create the application by using this docker-compose.yml

version: '3.9'

services:
  traefik-config:
    image: 'busybox'
    volumes:
      - 'traefik:/traefik'
    command: |
      sh -c "
      echo '
      http:
        services:
          nasweb:
            loadBalancer:
              servers:
                - url: http://gateway.docker.internal:8080
        routers:
          nasweb:
            rule: Host(`example.myqnapcloud.com`)
            service: nasweb
            tls:
              certresolver: myresolver
          default:
            rule: PathPrefix(`/`)
            service: nasweb
            tls:
              certresolver: myresolver
              domains:
                - main: example.myqnapcloud.com
      ' > /traefik/config.yml && nc -l -p 3000"

  traefik:
    depends_on:
      - 'traefik-config'
    image: 'traefik:v2.4'
    restart: 'always'
    command:
      - '--api.insecure=true'
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
      - '--providers.file=true'
      - '--providers.file.filename=/traefik/config.yml'
      - '--providers.file.watch=true'
      - '--entrypoints.websecure.address=:443'
      - '--entrypoints.traefik.address=:3000'
      - '--certificatesresolvers.myresolver.acme.tlschallenge=true'
      - '--certificatesresolvers.myresolver.acme.email=root@example.com'
      - '--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json'
    ports:
      - '443:443'
      - '3000:3000'
    volumes:
      - '/share/letsencrypt:/letsencrypt'   # Create a share folder named `letsencrypt`
      - 'traefik:/traefik'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    extra_hosts:
      - 'gateway.docker.internal:host-gateway'

  vaultwarden:
    image: 'vaultwarden/server'
    restart: 'always'
    volumes:
      - '/share/vaultwarden:/data'   # Create a share folder named `vaultwarden`
    environment:
      - 'WEBSOCKET_ENABLED=true'
      - 'SIGNUPS_ALLOWED=true'       # Set to false when you want to disable account registration
      - 'SIGNUPS_VERIFY=true'
      - 'DOMAIN=https://vaultwarden.example.com'
      - 'SMTP_HOST=smtp.mailgun.org'
      - 'SMTP_FROM=postmaster@YOUR_DOMAIN_NAME'
      - 'SMTP_FROM_NAME=Vaultwarden'
      - 'SMTP_PORT=587'
      - 'SMTP_SSL=true'
      - 'SMTP_USERNAME=postmaster@YOUR_DOMAIN_NAME'
      - 'SMTP_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxx'
      - 'SMTP_TIMEOUT=15'
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.vaultwarden-ui.rule=Host(`vaultwarden.example.com`)'
      - 'traefik.http.routers.vaultwarden-ui.service=vaultwarden-ui'
      - 'traefik.http.routers.vaultwarden-ui.tls.certresolver=myresolver'
      - 'traefik.http.services.vaultwarden-ui.loadbalancer.server.port=80'
      - 'traefik.http.routers.vaultwarden-websocket.rule=Host(`vaultwarden.example.com`) && Path(`/notifications/hub`)'
      - 'traefik.http.routers.vaultwarden-websocket.service=vaultwarden-websocket'
      - 'traefik.http.routers.vaultwarden-websocket.tls.certresolver=myresolver'
      - 'traefik.http.services.vaultwarden-websocket.loadbalancer.server.port=3012'
      - 'traefik.http.routers.vaultwarden-negotiate.rule=Host(`vaultwarden.example.com`) && Path(`/notifications/hub/negotiate`)'
      - 'traefik.http.routers.vaultwarden-negotiate.service=vaultwarden-ui'
      - 'traefik.http.routers.vaultwarden-negotiate.tls.certresolver=myresolver'

volumes:
  traefik:

What I have to edit for my environment?
Is traefik necessary?
Need I a reverse proxy?
I think I have to set up mail details?
I think the best is to use a letsencrypt certificate or?

I read a lot of other things about DUCK DNS, CADDY, CLOUDFLARE
This all necessary?

Now I have my onw domain but I think I will use it offline to have it more secure.
If necessary I can connect me to home via wiresguard VPN.
The qnap myqnap ID is not used.

thanks a lot for your help and tipps