mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-12-16 04:09:03 +00:00
Updated Using Podman (markdown)
Erwan Colin
parent
edad02c2ef
commit
27ca93d12f
146
Using-Podman.md
146
Using-Podman.md
@ -137,4 +137,148 @@ If you want the container to have a specific name, you might need to add `ExecSt
|
||||
|
||||
If the host goes down or the container crashes, the systemd service file should automatically stop the existing container and spin it up again. We can find the error through `journalctl -u container-vaultwarden -t 100`.
|
||||
|
||||
Most of the time the errors we see can be fixed by simply upping the timeout in Podman command in the service file.
|
||||
Most of the time the errors we see can be fixed by simply upping the timeout in Podman command in the service file.
|
||||
|
||||
## Full use of quadlet files for Vaultwarden and database
|
||||
|
||||
The application and the PostgreSQL database are containerised and placed in a pod. The application uses its own network via the Podman network functionality. Persistent volumes are used for database data and for Vaultwarden application data. Secrets used by the deployment containers are managed by the Podman secret functionality.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
A(vaultwarden.network) --- B(vaultwarden.pod)
|
||||
B --- C(vaultwarden-app.container)
|
||||
B --- D(vaultwarden-db.container)
|
||||
C --- G[/env_file=/etc/vaultwarden/config/]
|
||||
C --- E[(vaultwarden-app.volume)]
|
||||
D --- F[(vaultwarden-db.volume)]
|
||||
D --- H[/env_file=/home/vaultwarden/vaultwarden/vaultwarden-db.env/]
|
||||
C --- I{{podman-secret: database_url, admin_token}}
|
||||
D --- J{{podman-secret: postgres_password}}
|
||||
style A fill:#ffec99
|
||||
style B fill:#ffc9c9
|
||||
style C fill:#b2f2bb
|
||||
style D fill:#b2f2bb
|
||||
style E fill:#a5d8ff
|
||||
style F fill:#a5d8ff
|
||||
style G fill:#f08c00
|
||||
style H fill:#f08c00
|
||||
style I fill:#d0bfff
|
||||
style J fill:#d0bfff
|
||||
```
|
||||
|
||||
This infrastructure is defined using these quadlet files:
|
||||
|
||||
- vaultwarden-app.container
|
||||
- vaultwarden-app.volume
|
||||
- vaultwarden-db.container
|
||||
- vaultwarden-db.volume
|
||||
- vaultwarden.network
|
||||
- vaultwarden.pod
|
||||
|
||||
### Definition of the Pod
|
||||
|
||||
Create the file `~/.config/containers/systemd/vaultwarden.pod:
|
||||
|
||||
```systemd
|
||||
[Pod]
|
||||
PodName=vaultwarden
|
||||
Network=vaultwarden.network
|
||||
PublishPort=8080:8080
|
||||
```
|
||||
|
||||
### Definition of the network
|
||||
|
||||
|
||||
Create the file `~/.config/containers/systemd/vaultwarden.network:
|
||||
|
||||
```systemd
|
||||
[Network]
|
||||
NetworkName=vaultwarden
|
||||
Gateway=192.168.220.1
|
||||
Subnet=192.168.220.0/24
|
||||
```
|
||||
|
||||
### Definition of the persistent volumes
|
||||
|
||||
Create the file `~/.config/containers/systemd/vaultwarden-app.volume`:
|
||||
|
||||
```systemd
|
||||
[Volume]
|
||||
VolumeName=vaultwarden-app
|
||||
```
|
||||
|
||||
and the file `~/.config/containers/systemd/vaultwarden-db.volume`:
|
||||
|
||||
```systemd
|
||||
[Volume]
|
||||
VolumeName=vaultwarden-db
|
||||
```
|
||||
|
||||
### Definition of the containers
|
||||
|
||||
Create the file `~/.config/containers/systemd/vaultwarden-app.container`:
|
||||
|
||||
```systemd
|
||||
[Container]
|
||||
ContainerName=vaultwarden-app
|
||||
EnvironmentFile=/etc/vaultwarden/config
|
||||
HealthCmd=/healthcheck.sh
|
||||
HealthInterval=120s
|
||||
HealthRetries=10
|
||||
HealthTimeout=45s
|
||||
Image=docker.io/vaultwarden/server:1.34.3
|
||||
Pod=vaultwarden.pod
|
||||
Secret=database_url,type=env,target=DATABASE_URL
|
||||
Secret=admin_token,type=env,target=ADMIN_TOKEN
|
||||
Volume=vaultwarden-app.volume:/data
|
||||
[Unit]
|
||||
Requires=vaultwarden-db.service
|
||||
After=vaultwarden-db.service
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
```
|
||||
|
||||
and the file `~/.config/containers/systemd/vaultwarden-db.container`:
|
||||
|
||||
```systemd
|
||||
[Container]
|
||||
ContainerName=vaultwarden-db
|
||||
EnvironmentFile=/home/vaultwarden/vaultwarden/vaultwarden-db.env
|
||||
HealthCmd=/usr/bin/pg_isready -q -d vaultwarden -U vaultwarden
|
||||
HealthInterval=120s
|
||||
HealthRetries=10
|
||||
HealthTimeout=45s
|
||||
Image=docker.io/library/postgres:17
|
||||
Pod=vaultwarden.pod
|
||||
Secret=postgres_password,type=env,target=POSTGRES_PASSWORD
|
||||
Volume=vaultwarden-db.volume:/var/lib/postgresql/data
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
```
|
||||
|
||||
### Configuration
|
||||
|
||||
Configuration is done using the environment file `/etc/vaultwarden/config` and `~/vaultwarden/vaultwarden-db.env`.
|
||||
|
||||
In the `~/vaultwarden/vaultwarden-db.env` file set the vars `POSTGRES_USER` and `POSTGRES_DB`
|
||||
|
||||
### Secrets
|
||||
|
||||
You need to define the secrets `postgres_password`, `database_url` and `admin_token` :
|
||||
|
||||
I assume that POSTGRES_USER=vaultwarden and POSTGRES_DB=vaultwarden
|
||||
|
||||
```bash
|
||||
openssl rand -base64 32|podman secret create postgres_password -
|
||||
echo "postgres://vaultwarden:$(podman secret inspect --showsecret --format '{{.SecretData}}' postgres_password)@vaultwarden-db/vaultwarden"|podman secret create database_url -
|
||||
echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4|podman secret create admin_token -
|
||||
```
|
||||
|
||||
### Deploy
|
||||
|
||||
```bash
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user start vaultwarden-pod.service
|
||||
```
|
||||
Loading…
Reference in New Issue
Block a user