自建密码管理平台vaultwarden的搭建流程(非docker)

$ mkdir vw-image
$ cd vw-image
$ wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
$ chmod +x docker-image-extract
$ ./docker-image-extract vaultwarden/server:alpine
Getting API token...
Getting image manifest for vaultwarden/server:alpine...
Downloading layer 801bfaa63ef2094d770c809815b9e2b9c1194728e5e754ef7bc764030e140cea...
Extracting layer...
Downloading layer c6d331ed95271d8005dea195449ab4ef943017dc97ab134a4426faf441ae4fa6...
Extracting layer...
Downloading layer bfd9ec32f740ca8c86ccde057595d29a31eb093aafd7619fcdd4b956c7bf95e3...
Extracting layer...
Downloading layer e9bfb5d92e4629b1dcb4a13a470c90f51b9edde4e184d8520afc589728b8b675...
Extracting layer...
Downloading layer 5757963c858ce72bc4a1874f4971d326d21d2a844f03063a3c99e312150adf95...
Extracting layer...
Downloading layer f705bf64e4315fea1830cc137d1deda194e825da03bd7822e41ac52457bc83e7...
Extracting layer...
Downloading layer 909b5deb38cbce9f83598918bf7f38b7c2194d385456cf7ef15eff47f8a63108...
Extracting layer...
Downloading layer 8516f4cd818630cd60fa18254b072f8d9c3748bdb56f6e2527dc1c204e8e017c...
Extracting layer...
Image contents extracted into ./output.
$ ls -ld output/{vaultwarden,web-vault}
-rwx------ 1 user user 22054608 Feb  6 21:46 output/vaultwarden
drwx------ 8 user user     4096 Feb  6 21:46 output/web-vault/

ubuntu:/opt/vw-image$ mkdir -p /opt/vaultwarden
ubuntu:/opt/vw-image$ cd output/
# 将需要用到的 文件和目录拷贝到前面建好的目录
ubuntu:/opt/vw-image/output$ cp -rf vaultwarden web-vault/ data/ /opt/vaultwarden/
# 下载env 文件
ubuntu:/opt/vw-image/output$ cd /opt/vaultwarden/
ubuntu:/opt/vaultwarden$ wget https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/.env.template -O vaultwarden.env

# 给web端发送通知用的
## Enables websocket notifications
WEBSOCKET_ENABLED=true

## Controls the WebSocket server address and port
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012

# 打开管理员的链接，方便管理，按照提示生成随便链接即可
## Token for the admin interface, preferably use a long random string
## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled
ADMIN_TOKEN=zOArDihR/WNW3N1MVbNt6/YkoHg8i115pqfGzgMrgSOKkr27GxC8+JPMZLJbhOMQ


## Domain settings
244 ## The domain must match the address from where you access the server
245 ## It's recommended to configure this value, otherwise certain functionality might not work,
246 ## like attachment downloads, email links and U2F.
247 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
248 DOMAIN=换成自己的域名

## Rocket specific settings
## See https://rocket.rs/v0.4/guide/configuration/ for more details.
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=80  # 🏳‍🌈🏳‍🌈🏳‍🌈🏳‍🌈删除这里的注释！！！！🏳‍🌈🏳‍🌈🏳‍🌈

[Unit]
Description=vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden

# Only sqlite
After=network.target network-online.target
Requires=network-online.target

# MariaDB
# After=network.target mariadb.service
# Requires=mariadb.service

# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service

# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service

[Service]
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64

# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden

[Install]
WantedBy=multi-user.target

$ sudo systemctl start vaultwarden.service
# 查看是否启动成功
$ sudo systemctl status vaultwarden.service
● vaultwarden.service - vaultwarden Server (Rust Edition)
     Loaded: loaded (/etc/systemd/system/vaultwarden.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-12-11 17:55:49 CST; 7s ago
       Docs: https://github.com/dani-garcia/vaultwarden
   Main PID: 1845671 (vaultwarden)
      Tasks: 10 (limit: 2050)
     Memory: 2.9M
     CGroup: /system.slice/vaultwarden.service
             └─1845671 /opt/vaultwarden/vaultwarden

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

wget "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&" -O caddy # 下载支持Cloudflare的caddy
which caddy
/usr/bin/caddy # caddy 的文件所在，替换这个文件

https://[YOUR-DOMAIN]:443 {

  tls {
        dns cloudflare [API-KEY] # 填写 Cloudflare API key
  }

  encode gzip

  header / {
       # Enable HTTP Strict Transport Security (HSTS)
       Strict-Transport-Security "max-age=31536000;"
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "DENY"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
       # Server name removing
       -Server
   }
  # The negotiation endpoint is also proxied to Rocket 
  reverse_proxy /notifications/hub/negotiate localhost:80 # 如果修改过端口记得修改

  # Notifications redirected to the websockets server
  reverse_proxy /notifications/hub localhost:3012

  # Proxy the Root directory to Rocket
  reverse_proxy localhost:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}

# 设置开机启动
systemctl enable caddy
# 设置启动caddy 服务
systemctl start caddy
# 停止caddy 服务
systemctl stop caddy
# 查看caddy 的服务状态
systemctl status caddy