Bitwarden installation optimized for Google Cloud's 'always free' f1-micro compute instance
Note: if you follow these instructions the end product is a self-hosted instance of Bitwarden running in the cloud and will be free unless you exceed the 1GB egress per month or have egress to China or Australia. I talk about best practices to help avoid China/AUS egress, but there's a chance you can get charges from that so please keep that in mind.
This is a quick-start guide. Read about this project in more detail here.
- Bitwarden self-hosted
- Automatic backup databases to your github private repo.
- Automatic https certificate management through cloudflare proxy
- With Cloudflare Argo Tunnel, You don't need to expose ANY port al all.
- So, DDNS no longer required.
Before you start, ensure you have the following:
- A Google Cloud account
- A Cloudflare-managed DNS record ready for Bitwarden.
- A github account
Google Cloud offers an 'always free' tier of their Compute Engine with one virtual core and ~1000 MB of RAM (about 150 MB free depending on which OS you installed). Bitwarden RS runs well under these constraints; it's written in Rust and an ideal candidate for a micro instance.
Go to Google Compute Engine and open a Cloud Shell. You may also create the instance manually following the constraints of the free tier. In the Cloud Shell enter the following command to build the properly spec'd machine:
# create vm
$ gcloud compute instances create bitwarden-rs \
--machine-type e2-micro \
--zone us-west1-b \
--image-project cos-cloud \
--image-family cos-stable \
--boot-disk-size=30GB \
--scopes compute-rw
You may change the zone to be closer to you or customize the name (bitwarden
), but most of the other values should remain the same.
Enter a shell on the new instance and clone this repo:
$ git clone https://github.com/HuJK/bitwarden_gcloud_cloudflare
$ cd bitwarden_gcloud_cloudflare
Set up the docker-compose alias by using the included script:
$ sh utilities/install-alias.sh
$ source ~/.bashrc
$ docker-compose --version
docker-compose version 1.25.5, build 8a1c60f
I provide .env.template
which should be copied to .env
and filled out; filling it out is self-explanitory and requires certain values such as a domain name, github keys, etc.
- Create a empty private repo at your github account.
- Generate a new SSH key pair and fill it to
.env
file - Setup your SSH key to the deploy keys to your repo, write access is required.
- Download and install Cloudflare argo tunnrl from here: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation
- Run
cloudflared tunnel login
locally and select your domain to get the cert. - Run
cloudflared tunnel create bwd
- Run
cloudflared tunnel route dns bwd bwd.example.com
- Copy
~/.cloudflared/XXXXXXX.json
to the cloudflared folder in this repo and rename it to tunnel.json. - Fill
CLOUDFLARED_TUNNEL_NAME
part in the env file - Make sure your desired domain for bitwarden are not exist in your Cloudflare DNS panel.
Cloudflared will create it later. If it exists, it fails.
Container-Optimized OS will automatically update itself, but the update will only be applied after a reboot. In order to ensure that you are using the most current operating system software, you can set a boot script that waits until an update has been applied to schedule a reboot.
Before you start, ensure you have compute-rw
scope for your bitwarden compute vm. If you used the gcloud
command above, it includes that scope. If not, go to your Google Cloud console and edit the "Cloud API access scopes" to have "Compute Engine" show "Read Write". You need to shut down your compute vm in order to change this.
Modify the script to set your local timezone and the time to schedule reboots: set the TZ=
and TIME=
variables in utilities/reboot-on-update.sh
. By default the script will schedule reboots for 06:00 UTC.
From within your compute vm console, type the command toolbox
. From within toolbox
, find the utilities
folder within bitwarden_gcloud
. toolbox
mounts the host filesystem under /media/root
, so go there to find the folder. It will likely be in /media/root/home/<google account name>/bitwarden_gcloud/utilities
- cd
to that folder.
Next, use gcloud
to add the reboot-on-update.sh
script to your vm's boot script metadata with the add-metadata
command:
gcloud compute instances add-metadata bitwarden-rs --zone=us-west1-b --metadata-from-file startup-script=reboot-on-update.sh
You can confirm that your startup script has been added in your instance details under "Custom metadata" on the Compute Engine Console.
Next, restart your vm with the command $ sudo reboot
. Once your vm has rebooted, you can confirm that the startup script was run with the command:
$ sudo journalctl -u google-startup-scripts.service
Now the script will wait until a reboot is pending and then schedule a reboot for the time configured in the script.
From 1.29.0
,Vaultwarden support automatically sync in mobile app depends on push notifications.
-
Go to https://bitwarden.com/host/ insert your email address and you'll get an INSTALLATION ID and KEY.
-
Insert the correct ID and the KEY from the previous step into
.env
file:
PUSH_ENABLED=true
PUSH_INSTALLATION_ID=
PUSH_INSTALLATION_KEY=
To start up, use docker-compose
:
$ docker-compose up
You can now use your browser to visit your new Bitwarden site.