(Mostly) automated setup of vaultwarden on Digital Ocean.
This project sets up a self-hosted vaultwarden server with:
- Automated HTTPs and certificate management using Caddy proxy
- Fail2Ban - Bans IPs attempting brute-force attacks and sends email alerts
- Automated OS patching and vaultwarden image updates
- A Digital Ocean account
- A Digital Ocean personal access token with write access
- An ssh key uploaded to Digital Ocean that is also available on your device
- Terraform installed
- Domain name registered with access to modify its DNS records
Clone this repo. In ./vw copy .env.template to a file named .env and fill out the variables.
In ./infra copy terraform.tfvars.template to a file named terraform.tfvars and fill out the variables.
This project assumes you'd want the vaultwarden server accessible from a subdomain of an existing domain of yours.
To do this, in your domain registrar create an NS record for your subdomain which points to the three Digital Ocean nameservers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com).
For example, the record in your domain registrar should be similar to:
| Host name | Type | TTL | Data |
|---|---|---|---|
| vaultwarden.example.com | NS | 3600 | ns1.digitalocean.com. ns2.digitalocean.com. ns3.digitalocean.com. |
- Start the ssh-agent:
eval "$(ssh-agent -s)" - Add your private key (from pre-requisite 3) to the ssh-agent:
ssh-add ~/.ssh/<your_private_key>
In the ./infra directory:
Initialise terraform backend:
terraform init
Apply terraform changes:
terraform apply
The infra provisioning should take ~4 mins.
After provisioning it should take ~1 min for vaultwarden to be accessible at your subdomain.
- OS patching is automated via unattended-upgrades. On days where patching is required, system reboots are scheduled for 3am (based on TZ).