Vaultwarden (Password Manager)
IP: 192.168.1.XXX | Port: 8081 | Stack: pi5/vaultwarden/ | Domain: vault.internal.lab
Overview
Self-hosted Bitwarden-compatible password manager. Centralized credential storage to replace scattered .env files across the homelab.
Access
| Endpoint | URL |
|---|---|
| Web UI | https://vault.internal.lab (via NPM) |
| Direct | http://192.168.1.XXX:8081 |
| Admin | https://vault.internal.lab/admin |
Location
/opt/pi5-stacks/vaultwarden/
├── docker-compose.yaml
├── vw-data/ # Persistent data
├── .env # Environment variables (not in git)
└── DEPLOYMENT.md # Deployment notes
Docker Compose
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
ports:
- "8081:80"
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=${ADMIN_TOKEN}
volumes:
- ./vw-data:/data
security_opt:
- no-new-privileges:trueKey Configuration Notes
- Signups Disabled: Admin creates all accounts (security best practice)
- WebSocket Enabled: Real-time sync between devices
- **Admin token: [REDACTED] Required for admin panel access
- Data Location:
./vw-datapersists passwords and settings
Initial Setup
1. Create Admin Account
- Visit https://vault.internal.lab
- Click “Create account” (first user becomes admin when signups disabled)
- Or use admin panel: https://vault.internal.lab/admin
2. Retrieve Admin Token
ssh cib@192.168.1.XXX "cat /opt/pi5-stacks/vaultwarden/vw-data/.admin_token"3. Create Organization (Optional)
- Admin panel → Organizations → Create
- Invite users by email
- Shared collections for team credentials
Nginx Proxy Manager Configuration
Required for vault.internal.lab access:
| Setting | Value |
|---|---|
| Domain Names | vault.internal.lab |
| Scheme | http |
| Forward Hostname/IP | 192.168.1.XXX |
| Forward Port | 8081 |
| Cache Assets | ☑️ |
| Block Common Exploits | ☑️ |
| SSL | ☑️ (Request new certificate) |
DNS Configuration
Add to both Pi-hole instances:
vault.internal.lab → 192.168.1.XXX
Primary Pi-hole (192.168.1.XXX): Local DNS → DNS Records
Secondary Pi-hole (192.168.1.XXX): Local DNS → DNS Records
Security Considerations
Why Signups Disabled?
- Prevents unauthorized account creation
- Admin controls all user provisioning
- Required for enterprise/business use cases
Admin Token Storage
# Secure location on Pi5
/opt/pi5-stacks/vaultwarden/vw-data/.admin_token
chmod 600 .admin_tokenBackup Strategy
- vw-data directory contains all encrypted vaults
- Backup to NAS:
/mnt/nas/homelab/backups/vaultwarden/ - Restore: Copy vw-data back and restart container
Client Applications
Bitwarden Official Apps
All apps work with Vaultwarden:
- Browser Extensions: Chrome, Firefox, Safari, Edge
- Mobile: iOS, Android
- Desktop: Windows, macOS, Linux
- CLI:
bwcommand line tool
Self-Hosted Server URL
Configure all clients with:
Server URL: https://vault.internal.lab
Migration from Scattered .env Files
Step 1: Inventory Existing Secrets
# Find all .env files
find /opt -name ".env" -type f 2>/dev/null
# Extract credentials (example)
grep -E "(PASSWORD|SECRET|TOKEN|KEY)=" /opt/*/docker-compose.yaml 2>/dev/nullStep 2: Create Collections in Vaultwarden
- Docker Stacks - Database passwords, API keys
- Services - Individual service credentials
- Infrastructure - SSH keys, root passwords
- External APIs - Cloud provider tokens
Step 3: Update Services to Use Vaultwarden
Future enhancement: Use Vaultwarden as secret backend for Docker
Troubleshooting
Can’t Access Admin Panel
- Verify ADMIN_TOKEN is set
- Check token file exists:
cat vw-data/.admin_token - Restart container:
docker compose restart
Sync Issues Between Devices
- Verify WebSocket is enabled
- Check browser console for WebSocket errors
- Ensure NPM WebSocket support is configured
Forgot Admin Password
- No recovery possible without email configured
- Best practice: Set up email (SMTP) for password resets
- Last resort: Reset vault (loses all data)
Related Pages
- Pi5 - Host server
- Network-Topology - DNS and IP assignments
- Security-Best-Practices - Credential management
- Environment-Files - Migrating from .env files
Deployment Date
2026-02-16 - Deployed on Pi5 as part of homelab security improvements