Vaultwarden

Self-hosted Bitwarden-compatible password manager running in a lightweight Alpine LXC container.

Overview

Vaultwarden is a lightweight, self-hosted implementation of the Bitwarden password manager API. It's fully compatible with all official Bitwarden clients (iOS, Android, browser extensions, desktop apps) while using a fraction of the resources of the official Bitwarden server.

Why Vaultwarden?

• Self-hosted — passwords never leave the homelab
• Full Bitwarden compatibility — works with all official clients, no custom apps needed
• Extremely lightweight — runs on 256MB RAM and 1GB disk in an Alpine LXC container
• No Docker required — Alpine packages provide pre-built binaries, no compilation or container runtime needed

Architecture

Vaultwarden runs as a single Rust binary serving an HTTP API on port 8000. TLS is handled by Caddy (CT 101), which reverse proxies vault.hake.rodeo to the Vaultwarden backend over plain HTTP. DNS resolution is provided by Pi-hole, which has a local A record pointing vault.hake.rodeo to Caddy's IP.

The data flow: Bitwarden Client → vault.hake.rodeo:443 → Caddy (TLS termination) → 10.1.10.102:8000 → Vaultwarden

Why Alpine over Debian?

The community helper scripts offer both Alpine and Debian versions. Alpine was chosen because:

• 256MB RAM vs 6GB — the Debian script compiles Vaultwarden from source with Rust/Cargo
• 1GB disk vs 20GB — Alpine packages are tiny compared to the Rust toolchain
• Seconds vs 20+ minutes — apk install vs cargo build
• OpenRC instead of systemd — simpler init, no nesting/keyctl requirements

Service Details

Field	Value
Container	CT 102 (Alpine 3.23, unprivileged LXC)
IP	10.1.10.102
Port	8000 (HTTP)
VLAN	10 (Production)
Resources	1 vCPU, 256MB RAM, 1GB disk
Domain	vault.hake.rodeo
Admin Panel	vault.hake.rodeo/admin

Dependencies

• Caddy (CT 101) — TLS termination for vault.hake.rodeo
• Pi-hole (CT 100) — DNS resolution and local DNS record