This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.
I used LastPass for a while, and it basically met all my needs. However, the free version doesn’t allow simultaneous use across both computer and mobile devices. And browsing v2ex got me “evangelized” pretty quickly. So I decided to self-host Bitwarden instead.
After considering stability, security, and cost, I ultimately opted to deploy it on serverless functions. I couldn’t find any online tutorials about deploying Bitwarden’s backend in a serverless fashion (and there’s a small gotcha), so I’m writing this down for reference.
Update on 2023.11.03
It’s been almost a year and a half now—running smoothly with no maintenance needed. The only hassle comes during upgrades. Here’s a quick update:
The latest version of Bitwarden has moved the WebSocket connection endpoint to the default port 80. Clients will automatically attempt to connect and maintain a WebSocket connection, which consumes significant CPU and memory time. You’ll want to block access to the /notifications/hub path.
Future versions might include an option to disable WebSocket connections, but for now, a temporary workaround on Alibaba Cloud Functions is to bind this path to another function that doesn’t support WebSocket. As an extra precaution, you can also reduce the function timeout and set up monitoring to prevent unexpected charges.
Additionally, on Alibaba Cloud Function Compute, you should set the instance concurrency limit to a reasonably high number (e.g., 100), while restricting the function to allow only one instance at a time—this ensures all requests are handled by the same instance and avoids concurrency issues. (Note: Vaultwarden isn’t designed as a stateless application.)
In short, while serverless functions offer low maintenance, low cost, high isolation, and better privacy, they do come with certain limitations. Each upgrade may bring new small issues to resolve. However, Bitwarden data is locally cached and can be exported offline—the cloud server mainly serves as a sync hub, so concerns about data loss or unavailability are relatively minor.
Below is the original article content~
The official Bitwarden images are split into multiple components and take up considerable space. Cold starts on serverless platforms would be slow, and deployment becomes complicated.
Fortunately, there’s a third-party re-implementation of the backend API called Vaultwarden. It’s lightweight, fully functional, and perfect for deployment on serverless functions.
Pushing the Image
Alibaba Cloud Function Compute requires container images to be hosted on Alibaba Cloud’s own registry (ACR). Fortunately, Alibaba provides free image storage for individual users. All you need to do is pull the Docker image from Docker Hub and push it to your Alibaba ACR.
First, run docker pull vaultwarden/server:latest to pull the Vaultwarden image locally.
Then go to the Alibaba Cloud ACR console, create a repository under your personal instance, choose “manual local repository” as the source, and follow the instructions on the page to push your local image to ACR.
Configuring the Service
Open the Function Compute (FC) console, create a new service, then create a function using the “Container Image” option. Select the image from ACR, set the listening port to 80, and choose HTTP request handler as the request handler type.
After creating the service, you’ll need to set up a NAS file system to persist data. Go back to the service configuration page, and under network settings, you can enable VPC with one click, then automatically configure a NAS file system. Set the mount point to /mnt/data.
Go back to your function’s configuration. According to the Vaultwarden Wiki, you need to adjust some settings.
Since Alibaba Cloud only allows mounting under /mnt or /home, you must adjust the default configuration by adding an environment variable: set DATA_FOLDER to /mnt/data.
By default, SQLite’s WAL mode is enabled, but it can cause database corruption when used with Alibaba Cloud’s NAS (a networked file system). Add the environment variable ENABLE_DB_WAL and set it to false to disable WAL.
You may also set ADMIN_TOKEN for web-based administration if needed—refer to the Wiki for details.
Configuring Routing and HTTPS
Go back to the top-level Function Compute settings, select “Add Custom Domain”, and strongly recommend enabling and enforcing HTTPS (apply for a free SSL certificate and follow the prompts). Then route the custom domain to your newly created service.
Once configured, set your client’s server URL to something like https://vault.example.com, and you’re good to go.
Setup complete—clients on desktop, mobile, and web all work perfectly, and you’ve unlocked premium features!
This article is licensed under the CC BY-NC-SA 4.0 license.
Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/vaultwarden-on-aliyun-serverless/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/