Non-scripted deployments

Putting this request here that was originally proposed by nmaggioni in the github issues list (#211).

"It would be nice to have a more rigorous, non pre-scripted way of self-hosting Bitwarden on one’s own infrastructure.

I am, for example, already managing a Docker environment via Rancher and will soon be migrating to Kubernetes. An externally written script could easily screw something up inside the ecosystem by interacting with the Docker daemon and bypassing the chosen orchestrator.

Something like a plain Docker Compose file or simply a list of required dependencies could greatly help in manually reproducing the automated deployment while keeping it under the chosen orchestrator’s management and avoiding conflicts."

I too think this is very important for anyone that wants to self-host and experiment a bit.

Currently it is very hard to separate all the different components in core and customize it to your liking.

Since that’s the true spirit of open source I was hoping the developers would think about the technical guys that like to tinker.


Hi there! So, if you want to see the docker-compose.yml, it is created in the bwdata/docker folder.

My current version is not as recent, but here is an example:

# Parameter:MssqlDataDockerVolume=False
# Parameter:HttpPort=80
# Parameter:HttpsPort=443
# Parameter:CoreVersion=1.16.0
# Parameter:WebVersion=1.22.0

version: '3'

    image: bitwarden/mssql:1.16.0
    container_name: bitwarden-mssql
    restart: always
      - ../mssql/data:/var/opt/mssql/data
      - ../mssql/backups:/etc/bitwarden/mssql/backups
      - mssql.env
      - ../env/mssql.override.env

    image: bitwarden/web:1.22.0
    container_name: bitwarden-web
    restart: always
      - ../web:/etc/bitwarden/web

    image: bitwarden/attachments:1.16.0
    container_name: bitwarden-attachments
    restart: always
      - ../core/attachments:/etc/bitwarden/core/attachments

    image: bitwarden/api:1.16.0
    container_name: bitwarden-api
    restart: always
      - ../core:/etc/bitwarden/core
      - global.env
      - ../env/global.override.env

    image: bitwarden/identity:1.16.0
    container_name: bitwarden-identity
    restart: always
      - ../identity:/etc/bitwarden/identity
      - ../core:/etc/bitwarden/core
      - global.env
      - ../env/global.override.env

    image: bitwarden/icons:1.16.0
    container_name: bitwarden-icons
    restart: always

    image: bitwarden/nginx:1.16.0
    container_name: bitwarden-nginx
    restart: always
      - '80:80'
      - '443:443'
      - ../nginx:/etc/bitwarden/nginx
      - ../letsencrypt:/etc/letsencrypt
      - ../ssl:/etc/ssl

They don’t make this obvious, and the docker-compose file is generated on the fly using a file called DockerComposeBuilder.cs, which is slightly annoying, But still, it should help. I plan on modifying this file to import it and test it on my k8s lab.

The scripts are nice because they build all the dependency files too, so maybe just run it once, get all the files needed, and then alter it as you need.

Have you try to create a k8s manifest ?
I think the biggest problem will be the identity.pfx file. It’s a binary file generated by the bitwarden/setup docker image using the Installation Id and Key.

EDIT 1: After some diging I found that file it’s a certificate generated by the folowing code

    Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
        "-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 10950");
    Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
        $"-in identity.crt -certfile identity.crt -passout pass:{IdentityCertPassword}");

Related discussions happening here: