alvis/AgapHost
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
Page: Vaultwarden
Pages
3X UI Agap Installation Backups Gitea Hello Home Assistant Home Immich Juris Matrix Network Omo Open WebUI Seafile Storage Vaultwarden Zabbix unnamed
Clone
5
Vaultwarden
alvis edited this page 2026-03-08 13:44:39 +00:00
Table of Contents

Vaultwarden

Self-hosted Bitwarden-compatible password manager.

  • URL: https://vw.alogins.net
  • Admin panel: https://vw.alogins.net/admin
  • Data: /mnt/ssd/dbs/vw-data/
  • Port: 127.0.0.1:8041 (loopback only, proxied via Caddy)

Setup

cd ~/agap_git/vaultwarden
docker compose up -d

docker-compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vw.alogins.net"
      ADMIN_TOKEN: "<argon2id hash>"
    volumes:
      - /mnt/ssd/dbs/vw-data/:/data/
    ports:
      - 127.0.0.1:8041:80

CLI Setup

Bitwarden CLI (bw) is installed at /home/alvis/bin/bw (on PATH).

Server is configured to https://localhost:8042 (Caddy local HTTPS — avoids hairpin NAT issue with public IP).

# Configure server (one-time)
bw config server https://localhost:8042

# Login (one-time)
bw login adolf46@proton.me

# Unlock — use --raw to get a plain session token with no extra output
SESSION=$(bw unlock '<master_password>' --raw 2>/dev/null)

# Fetch a token by item name — returns password field value directly
bw get password "GITEA_TOKEN" --session "$SESSION" 2>/dev/null

Important: run unlock and get as separate commands. Never chain them in a single pipeline — bw may write status text to stdout that corrupts the result.

Agap Claude Tokens

All Agap API tokens are stored as individual login entries in the AI collection. Token value is in the password field.

Item name ID
GITEA_TOKEN 876136bc-f693-41c7-9372-1cce86f0e179
ZABBIX_TOKEN 184ba8ba-890f-4064-a308-bcbd33ed586c
TELEGRAM_BOT_TOKEN 0ca5faba-1658-4a41-b9d0-bc0393ddff18
TELEGRAM_CHAT_ID 82bf0cb8-3057-4d69-8a39-d55abb516342
HA_TOKEN f7619a4a-131e-4976-ade0-dd5500ba3e09

Claude fetches these on demand using BW_PASSWORD from its environment.

Backup

Script: ~/agap_git/vaultwarden/backup.sh Destination: /mnt/backups/vaultwarden/<timestamp>/ Schedule: every 3 days at 2:00 AM (root crontab) Retention: last 5 backups

Files backed up:

  • db_<timestamp>.sqlite3 — via built-in container backup command (safe with live DB)
  • config.json
  • rsa_key.pem
  • attachments/, sends/ (if present)

Zabbix monitoring: trapper item vaultwarden.backup.ts (id 70368) on host AgapHost. Trigger fires at Warning if no backup received in 4 days.

Setup (one-time, as root):

sudo bash /tmp/setup-vaultwarden-backup.sh  # saves Zabbix token, installs cron, runs test backup

Notes

  • ADMIN_TOKEN is an argon2id hash — generate with vaultwarden hash or use the web tool
  • Caddy handles TLS at https://localhost:8042 (local) and https://vw.alogins.net (public)
  • NODE_TLS_REJECT_UNAUTHORIZED=0 required because localhost uses a self-signed cert