daviestechlabs/homelab-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f94945fb4606d61b8884571ce68c622c95add03f
homelab-design/decisions/0053-vaultwarden-password-management.md
Billy D. 5846d0dc16
All checks were successful
Update README with ADR Index / update-readme (push) Successful in 6s
Details
docs: add ADRs 0043-0053 covering remaining architecture gaps 
New ADRs:
- 0043: Cilium CNI and Network Fabric
- 0044: DNS and External Access Architecture
- 0045: TLS Certificate Strategy (cert-manager)
- 0046: Companions Frontend Architecture
- 0047: MLflow Experiment Tracking and Model Registry
- 0048: Entertainment and Media Stack
- 0049: Self-Hosted Productivity Suite
- 0050: Argo Rollouts Progressive Delivery
- 0051: KEDA Event-Driven Autoscaling
- 0052: Cluster Utilities (Spegel, Descheduler, Reloader, CSI-NFS)
- 0053: Vaultwarden Password Management

README updated with table entries and badge count (53 total).
2026-02-09 18:37:14 -05:00

91 lines
3.4 KiB
Markdown
Raw Blame History

# Vaultwarden Password Management
* Status: accepted
* Date: 2026-02-09
* Deciders: Billy
* Technical Story: Self-host a Bitwarden-compatible password manager for personal and family credential management
## Context and Problem Statement
Password management is essential for security, and commercial Bitwarden plans charge per-user fees for family/team features. Vaultwarden provides a lightweight, Bitwarden-compatible server that runs all premium features without licensing costs.
How do we self-host password management with the reliability and accessibility requirements of a critical personal service?
## Decision Drivers
* Bitwarden client compatibility (browser extensions, mobile apps, CLI)
* All premium features (TOTP, file attachments, organizations) without licensing
* High availability relative to importance (password manager is critical infrastructure)
* Public access for mobile/remote use
* Minimal attack surface
## Considered Options
1. **Vaultwarden** — Rust reimplementation of Bitwarden server API
2. **Bitwarden (official)** — Official self-hosted Bitwarden
3. **KeePass/KeePassXC** — File-based password manager with sync
4. **1Password** — Commercial SaaS
## Decision Outcome
Chosen option: **Vaultwarden**, because it provides full Bitwarden client compatibility in a single lightweight container, supports all premium features, and uses PostgreSQL for reliable storage.
### Positive Consequences
* All Bitwarden clients work natively (browser, mobile, desktop, CLI)
* All premium features unlocked (TOTP, attachments, emergency access, organizations)
* Single container (~50MB RAM) instead of Bitwarden's 6+ containers
* PostgreSQL backend via CNPG for reliable, backed-up storage
* Existing Bitwarden vaults can be migrated via import
### Negative Consequences
* Third-party reimplementation — may lag behind official Bitwarden features
* Self-hosted means self-responsible for backups and availability
* Public-facing service increases attack surface
## Deployment Configuration
| | |
|---|---|
| **Image** | `vaultwarden/server:1.35.2` |
| **Namespace** | `productivity` |
| **Chart** | bjw-s `app-template` |
| **Signups** | Disabled (`SIGNUPS_ALLOWED=false`) |
| **Admin panel** | Disabled |
| **Storage** | 10Gi Longhorn PVC (attachments/icons) |
### Database
PostgreSQL via **CloudNativePG**:
- 1 instance, `amd64` node affinity
- 10Gi Longhorn storage
- Credentials from Vault via ExternalSecret
### Network Access
| | |
|---|---|
| **Gateway** | `envoy-external` |
| **URL** | `vaultwarden.daviestechlabs.io` |
| **TLS** | Let's Encrypt wildcard (DNS-01 via Cloudflare) |
Publicly accessible via Cloudflare Tunnel so mobile apps and browser extensions work from anywhere.
## Security Hardening
* New user signups disabled — accounts provisioned manually
* Admin panel disabled — reduces attack surface
* Vault credentials from HashiCorp Vault (not inline)
* WebSocket support for real-time sync between clients
* All Bitwarden data encrypted client-side (server never sees plaintext)
Vaultwarden serves only encrypted blobs. The encryption key never leaves the client, so even a full server compromise does not expose plaintext passwords.
## Links
* Related to [ADR-0027](0027-database-strategy.md) (CNPG PostgreSQL)
* Related to [ADR-0044](0044-dns-and-external-access.md) (Cloudflare Tunnel access)
* Related to [ADR-0045](0045-tls-certificate-strategy.md) (Let's Encrypt TLS)
* [Vaultwarden](https://github.com/dani-garcia/vaultwarden)
Reference in New Issue View Git Blame Copy Permalink