Selfhosted

60114 readers

518 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Vaultwarden while allowing family emergency access (piefed.blahaj.zone)

submitted 2 hours ago by CorrectAlias@piefed.blahaj.zone to c/selfhosted@lemmy.world

4 comments fedilink hide all child comments

Hi everyone.

Given some recent.. issues with Bitwarden's leadership, I've been toying with Vaultwarden. It's been great, and supports pretty much everything I need.

I currently locally host the vault, but I'm realizing that this could cause problems for my family if something were to happen to me. While not technologically inept, if my server at home crashed they would have no idea how to access it, and they would lose all of the passwords.

I was thinking that a vps might be a better choice for this, possibly with some reboot automation in case of outages. That would allow them enough time to initiate the emergency access and import everything before anything happens to the passwords.

I've also got encrypted M-disc backups of the most important passwords with timestamps of when they were last set. I've demonstrated and written down instructions on how to decrypt these. Of course I also have other backups, but I doubt they'd be able to retrieve the non-physical copies of the backups.

Anyway, is that what most people here do with Vaultwarden, use a VPS with mTLS or VPN?

top 4 comments

sorted by: hot top controversial new old

[–] NaibofTabr@infosec.pub 1 points 17 minutes ago* (last edited 13 minutes ago)

You are running into the ultimate, and ultimately unavoidable, limitation of self-hosting, which is the self.

You should run a VM on the VPS for Vaultwarden, with no other services in the VM except whatever you need to connect to it remotely. Keep it simple. Run an exact copy of the VM on your local server. Have the VPS instance push its database to the local instance regularly, to keep up with any changes that your users make. Make regular backups of the local instance.

When you need to update the software, freeze an image of the local VM and then update the local VM, then when you're sure it's stable, copy the updated local VM to the VPS. If either the local or VPS instance crashes out, you should be able to recover (or reproduce) one from the other.

In the end though, it is functionally impossible to ensure reliability by yourself. Hosting Vaultwarden on a VPS shifts the responsibility for running the underlying server and network connection to the provider, and probably removing the dependence on your residential network connection will be better for your family/users.

You are still the weak point in your system. You need someone else who can log in to your local server, and into the VPS, and perform recovery if needed. There is no technical solution for this. You cannot be the sole admin, and also ensure reliability for other users.

[–] thehatfox@lemmy.world 2 points 1 hour ago

A VPS is going to have all the same problems as a local server in terms of inexperienced users, and will also add all the extra hassle of managing and paying for the VPS account.

I would say the best options for emergency access are local backups and documentation, which you already have. You could also consider keeping additional copies of essential passwords (like email accounts etc) in a simpler vault like Keepass. Or even physical copies written down in a security envelope in a safe.

[–] hoshikarakitaridia@lemmy.world 1 points 2 hours ago (1 children)

I have vaultwarden on my home server and I usually visit it through it's Webinterface because the bitwarden addon for my browser breaks all the time with my vaultwarden instance.

I also have tailscale and a Headscale server so access should be VPN level secure.

I'm gonna be honest, it's quite inconvenient sometimes but it's an ok working setup.

The addon issue gives me the most headaches because it means I have to login like 10 times into the web ui and then search through the passwords every time I am building stuff on my servers.

[–] CorrectAlias@piefed.blahaj.zone 1 points 2 hours ago

Interesting, I haven't had an issue with the browser extension (yet). Have you considered the emergency access to your vault, or are you just letting it ride?