Skip to main content

Overview

This template provides a production‑ready Vaultwarden instance as a Monk runnable. You can:
  • Run it directly to host your own password manager
  • Inherit it in your own infrastructure for team password management
Vaultwarden is an unofficial Bitwarden-compatible server written in Rust. It’s lightweight, easier to deploy than the official Bitwarden server, and perfect for self-hosted password management. It’s compatible with all official Bitwarden clients (desktop, mobile, browser extensions).

What this template manages

  • Vaultwarden server
  • SQLite or MySQL/PostgreSQL backend
  • Web vault UI
  • WebSocket support for sync
  • Admin panel
  • Web UI on port 80/443

Quick start (run directly)

  1. Load templates
monk load MANIFEST
  1. Run Vaultwarden with defaults
monk run vaultwarden/vaultwarden
  1. Customize configuration (recommended via inheritance)
Running directly uses the defaults defined in this template’s variables. Secrets added with monk secrets add will not affect this runnable unless you inherit it and reference those secrets.
  • Preferred: inherit and replace variables with secret("...") as shown below.
  • Alternative: fork/clone and edit the variables in vault.yml, then monk load MANIFEST and run.
Once started:
  • Web Vault: http://localhost:80
  • Admin Panel: http://localhost:80/admin (configure admin token)
Create your account and start storing passwords!

Configuration

Key variables you can customize in this template: 
variables:
  vaultwarden-image-tag: "latest"           # Vaultwarden image tag
  http-port: "80"                           # HTTP port
  https-port: "443"                         # HTTPS port (requires SSL)
  domain: "https://vault.example.com"       # public domain URL
  admin-token: "..."                        # admin panel token (generate random)
  signups-allowed: "true"                   # allow new signups
  invitations-allowed: "true"               # allow user invitations
  database-url: "sqlite:///data/db.sqlite3" # or PostgreSQL/MySQL
  smtp-host: "smtp.gmail.com"               # SMTP host for emails
  smtp-from: "vaultwarden@example.com"      # from address
  smtp-username: "..."                      # SMTP username
  smtp-password: "..."                      # SMTP password
Data is persisted under ${monk-volume-path}/vaultwarden:/data on the host. Inherit the Vaultwarden runnable for team password management. Example: 
namespace: myorg
vault:
  defines: runnable
  inherits: vaultwarden/vaultwarden
  variables:
    domain:
      value: "https://vault.myorg.com"
    admin-token:
      value: <- secret("vaultwarden-admin-token")
    signups-allowed:
      value: "false"  # invite-only
    smtp-password:
      value: <- secret("smtp-password")
Generate a strong admin token: 
openssl rand -base64 32
Then set the secrets once and run: 
monk secrets add -g vaultwarden-admin-token="<random-token>"
monk secrets add -g smtp-password="<smtp-password>"
monk run myorg/vault

Ports and connectivity

  • HTTP: TCP port 80
  • HTTPS: TCP port 443 (requires SSL certificate)
  • WebSocket: Same port as HTTP/HTTPS

Persistence

  • Data path: ${monk-volume-path}/vaultwarden:/data
  • Database, attachments, and icons are stored in this volume

Features

  • Bitwarden Compatible: Works with all official Bitwarden clients
  • Lightweight: Written in Rust, minimal resources
  • Full Features: Passwords, secure notes, cards, identities
  • Organizations: Share passwords with teams
  • Two-Factor Auth: TOTP, U2F, Yubikey, Duo
  • Password Generator: Strong password creation
  • Browser Extension: Chrome, Firefox, Edge, Safari
  • Mobile Apps: iOS and Android
  • Secure Sharing: Share items with organization members

Client Setup

  1. Browser Extension: Install from Chrome/Firefox store
  2. Server URL: Point to your Vaultwarden instance
  3. Create Account: Sign up via web vault
  4. Login: Use extension or mobile app

Admin Panel

Access at /admin with admin token:
  • View registered users
  • Invite new users
  • Deactivate users
  • Delete accounts
  • View diagnostics

Organizations

Create organizations for team sharing:
  1. Web Vault → New Organization
  2. Invite members via email
  3. Create collections (password groups)
  4. Share items with collections
  5. Manage member permissions

Two-Factor Authentication

Enable 2FA for extra security:
  • Authenticator App: TOTP (Google Authenticator, Authy)
  • Email: 2FA via email codes
  • Yubikey: Hardware security keys
  • Duo: Duo Security integration

Backup

Backup the data directory regularly: 
# Stop container
docker stop vaultwarden

# Backup data
tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz \
  /path/to/vaultwarden/data

# Restart container
docker start vaultwarden

Use cases

Vaultwarden excels at:
  • Personal password management
  • Family password sharing
  • Team credential storage
  • Self-hosted security
  • Private password vaults
  • Enterprise password management (small-medium teams)

Security Best Practices

  • Use HTTPS: Always use SSL/TLS in production
  • Strong Master Password: Users should use strong master passwords
  • Enable 2FA: Require two-factor authentication
  • Disable Signups: Use invite-only for organizations
  • Regular Backups: Backup encrypted vault regularly
  • Admin Token: Keep admin token secret and strong
  • Reverse Proxy: Use Nginx/Traefik with rate limiting
  • Reverse proxy: see nginx/ or traefik/ templates in this repository for SSL termination and rate limiting.
  • Database: see mariadb/ or postgresql/ templates for external database backend.

Troubleshooting

  • Access web vault at http://localhost:80 (default port)
  • Access admin panel at http://localhost:80/admin
  • For email issues, verify SMTP settings and test in admin panel
  • For client connection issues, verify domain/URL configuration matches your setup
  • For WebSocket issues, ensure WebSocket is enabled and accessible
  • For database issues, verify database URL and permissions
  • Ensure the host volume is writable by the container user
  • Check logs:
monk logs -l 500 -f vaultwarden/vaultwarden