Files

Update README with ADR Index / update-readme (push) Successful in 6s

Details

docs: add ADRs 0043-0053 covering remaining architecture gaps

New ADRs:
- 0043: Cilium CNI and Network Fabric
- 0044: DNS and External Access Architecture
- 0045: TLS Certificate Strategy (cert-manager)
- 0046: Companions Frontend Architecture
- 0047: MLflow Experiment Tracking and Model Registry
- 0048: Entertainment and Media Stack
- 0049: Self-Hosted Productivity Suite
- 0050: Argo Rollouts Progressive Delivery
- 0051: KEDA Event-Driven Autoscaling
- 0052: Cluster Utilities (Spegel, Descheduler, Reloader, CSI-NFS)
- 0053: Vaultwarden Password Management

README updated with table entries and badge count (53 total).

2026-02-09 18:37:14 -05:00

3.4 KiB

Raw Blame History

Vaultwarden Password Management

Status: accepted
Date: 2026-02-09
Deciders: Billy
Technical Story: Self-host a Bitwarden-compatible password manager for personal and family credential management

Context and Problem Statement

Password management is essential for security, and commercial Bitwarden plans charge per-user fees for family/team features. Vaultwarden provides a lightweight, Bitwarden-compatible server that runs all premium features without licensing costs.

How do we self-host password management with the reliability and accessibility requirements of a critical personal service?

Decision Drivers

Bitwarden client compatibility (browser extensions, mobile apps, CLI)
All premium features (TOTP, file attachments, organizations) without licensing
High availability relative to importance (password manager is critical infrastructure)
Public access for mobile/remote use
Minimal attack surface

Considered Options

Vaultwarden — Rust reimplementation of Bitwarden server API
Bitwarden (official) — Official self-hosted Bitwarden
KeePass/KeePassXC — File-based password manager with sync
1Password — Commercial SaaS

Decision Outcome

Chosen option: Vaultwarden, because it provides full Bitwarden client compatibility in a single lightweight container, supports all premium features, and uses PostgreSQL for reliable storage.

Positive Consequences

All Bitwarden clients work natively (browser, mobile, desktop, CLI)
All premium features unlocked (TOTP, attachments, emergency access, organizations)
Single container (~50MB RAM) instead of Bitwarden's 6+ containers
PostgreSQL backend via CNPG for reliable, backed-up storage
Existing Bitwarden vaults can be migrated via import

Negative Consequences

Third-party reimplementation — may lag behind official Bitwarden features
Self-hosted means self-responsible for backups and availability
Public-facing service increases attack surface

Deployment Configuration


Image	`vaultwarden/server:1.35.2`
Namespace	`productivity`
Chart	bjw-s `app-template`
Signups	Disabled (`SIGNUPS_ALLOWED=false`)
Admin panel	Disabled
Storage	10Gi Longhorn PVC (attachments/icons)

Database

PostgreSQL via CloudNativePG:

1 instance, amd64 node affinity
10Gi Longhorn storage
Credentials from Vault via ExternalSecret

Network Access


Gateway	`envoy-external`
URL	`vaultwarden.daviestechlabs.io`
TLS	Let's Encrypt wildcard (DNS-01 via Cloudflare)

Publicly accessible via Cloudflare Tunnel so mobile apps and browser extensions work from anywhere.

Security Hardening

New user signups disabled — accounts provisioned manually
Admin panel disabled — reduces attack surface
Vault credentials from HashiCorp Vault (not inline)
WebSocket support for real-time sync between clients
All Bitwarden data encrypted client-side (server never sees plaintext)

Vaultwarden serves only encrypted blobs. The encryption key never leaves the client, so even a full server compromise does not expose plaintext passwords.

3.4 KiB Raw Blame History