I thought that Vaultwarden install was going to be a little simpler but after having consulted a few guides here and there its maybe less straightforward than I thought.

My use-case is to use it on may internal LAN only with not access from outside whatsoever. In theory, http should be fine, but as this tool will contain quite a bit of sensitive data, I can see why it may be a good idea to go https. Are most of you internal users only setting up https?

My network is behind a pfSense setup that uses unbound to resolve all DNS. Locally, all my DNS requests are being forwarded on the subnet I will have Vaultwarden installed.

  • First question is whether for internal network use only, I need to go https.
  • Second question is whether I need to follow this guide?
  • Creat@discuss.tchncs.deEnglish
    3·
    2 days ago

    Never run something like Vaultwarden with unencrypted traffic. Throwing in a self signed cert is basically free insurance. You never know when even in your “trusted network” something starts listening in. Just why risk it?

  • manwichmakesameal@lemmy.worldEnglish
    2·
    2 days ago

    FWIW, here’s my compose file. I 100% use https for everything internal. With LetsEncrypt and Pihole, why wouldn’t you? It’s dead-simple.

    networks:
  backend:
    external: True

services:
  vaultwarden:
    container_name: vw-svr-00
    image: vaultwarden/server
    environment:
      - TZ=My/Timezone
      - DOMAIN=https://my.internal.domain/
#    ports:
#      - "82:80"
    volumes:
      - ./vw_data:/data
    networks:
      - backend
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`my.internal.domain`)”
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

    edit: I also run my instance on a subdomain vs a path. So my instances is actually at vw.internal.domain.

  • Coolcoder360@lemmy.worldEnglish
    1·
    2 days ago

    I think when I set up vault warden with the docker compose it had scripts to generate it’s own self-signed certificate. So it was already set up to use https.

    I have a CA I created with easyrsa so I went and found the csr from vault warden and signed it with my own CA, so I didn’t have to juggle two certs.

    But otherwise yeah, running it on my local LAN, no let’s encrypt.