I’d been looking for a FOSS solution for team password management for a while, and finally dove in and tried out a few solutions. I settled on bitwarden_rs, a community-built lightweight implementation of the Bitwarden server API. It’s built in Rust and deploys as a single Docker container.
The first-party Bitwarden server is also FOSS, but is an older and heavier application. While it does leverage Docker for deployment, the supported method is to use their provided scripts to orchestrate a set of containers. I wanted something that was more “cloud-native” so that I could try it out and start using it immediately via docker-compose but eventually transition to hosting it in a brigade kubernetes cluster.
A big plus of using a BitWarden server is that there’s a whole host of official clients out there for Chrome, Android, iOS etc that the BitWarden company maintains, distributes and shares the source code to, but which you can easily point at your own instance from the options on the login screen. The client applications all work via a synchronization routine, so if for whatever reason your server ever goes down temporarily or for good, every client still has its own data.
You can spin it up pretty easily with a
docker-compose.yml file like this:
version: "2" services: web: image: mprasil/bitwarden:latest restart: always volumes: - ./data:/data ports: - "127.0.0.1:9280:80"
That’ll put all its data in
./data relative to the
docker-compose.yml file, get that into a backup routine somehow or just use DigitalOcean’s automatic (but optional) whole-machine every-3-days snapshotting.
This config exposes it on port
9280 internally so you could then put an nginx server in front of it that encrypts everything and routes some particular subdomain to bitwarden and other subdomains to other containers you run.