Bitwarden Synology Docker

  



  • Updated 28/02/2021
  • In hindsight after writing the previous version of this guide where I suggested to use a unique user per container this was probably overkill and makes managing permissions a bit of a mare! So it’s simpler and in line with how I am actually doing this at home!
Bitwarden synology docker

In older versions of my guides and in practice I was using my main admin users details for all my Docker containers, this is not great for security so it is good practice to setup a unique user with more limited access for you containers.

Once you have completed the steps here go back to the main guide you were following.

Follow my step by step guide on how to activate your synology.me DDNS with DSM 7 Follow my step by step guide on how to activate your synology.me DDNS with DSM 6.2.4 Note: If you already own a synology.me DDNS, skip this STEP. STEP 3; Go to Control Panel / Application Portal / Reverse Proxy. Click on Create. Follow the instructions in the image. I have allowed websocket on synology nas reverse proxy because they said it must be on for notifications. I have running bitwarden instance inside synology docker. I add variables to the docker bitwarden instance: websocketenabled:true and websocketaddress: 127.0.0.1 (I donť know if it’s correct). In bitwarden setup I see websocket port 3012.

Creating a User

Navigate into the DSM control panel and open up ‘User’ then click Create.

You can call the user whatever you want, I just kept mine simple and created one called nzbautomate

It’s also a good idea to generate a very strong random password for the user, while it will be a very limited account you don’t want to give it an easy to guess password. You will never need this password for what we are doing.

Next we are going to add this new user to the ‘users’ group as we don’t want it having any sort of admin access.

Next up we need to grant the user access to the specific shares required for the containers The screenshot shows what I used for Radarr, just customise this based on the containers you are setting up, so for example if you were also setting up Lidarr and Sonarr you would grant access to your TV and Music shares (assuming you have them separate like me)

Nothing to change on the User quota settings just click ‘Next’

Bitwarden Synology Docker Tutorial

Our user will not require any application permissions so check the ‘Deny’ button at the top of the screen.

Again we don’t need to set any speed limits for this user so click on ‘Next’

The final screen will just confirm your settings make sure the correct shares are in the ‘Writeable’ list, click on ‘Apply’ and your user has been created.


Obtaining the new users PUID and PGID

Now we have created the new user for your containers we need to obtain the PUID (Personal User ID) and PGID (Personal Group ID) as this is passed through in our container setup.

Bitwarden Self Host Without Docker

You will need to SSH into your Diskstation using ‘Putty’ or an equivalent program depending on if you are a Windows or Linux user.

So lets jump into the Control Panel again and enable SSH

Open up Putty, the only thing you need to enter is the IP address of your NAS and select the SSH radio button.

Click on ‘Open’, you will get a prompt asking if you trust the key, if this is the first time you have used SSH, just press OK or accept.

Bitwarden Synology Dockers

Enter the login information for your admin Synology user account, you will not be able to see the password as you type it, I use a very long one so I just paste it in from my password manager. (right click acts as paste in Putty)

Once logged in type ‘id nameofuser’ without the quotes and the ‘nameofuser’ will be the name of the user you created earlier. This will show the UID (aka PUID) and GID (aka PGID)

In the example screenshot you can see my Radarr user is UID=1030 and GID=100. Take a note of the IDs for your user as you will need them later.

You have now setup the locked down user account for the specific Docker container you are setting up. You can now go back to the User Guide you were following.

You may also want to disable SSH again.

Bitwarden_rs is an API compatible Rust re-write of the Bitwarden server.It is uses less resources than the standard Bitwarden server and is ideal for the Synology NAS.

Please note, without HTTPS, you will not be able to access Bitwarden using Google Chrome.See here: https://github.com/dani-garcia/bitwarden_rs/issues/958

Docker

Install Docker

Package Centre > Docker > Install

Layout Ports

To avoid having to setup SSL certificates and renew them, we just use the Synology reverse proxy.This complicates the ports.

Ie. External HTTPS reverse proxies to -> External Docker HTTP -> Internal Docker HTTP.We use the same Internal ports and the External reverse proxy ports.

Bitwarden Docker Container

Ports used:

  • HTTPS
  • HTTP
  • WSS (WebSocket)
  • WS

Bitwarden Synology Docker

Note: currently websockets are not working.

Create Folders

Docker

/docker/bitwarden/bitwarden

Install Server

Apps > Docker > Registry > Search > bitwardenrs/server

Create HTTPS Reverse proxy

Control Panel -> Application Portal -> Reverse Proxy -> Create

Bitwarden HTTPS

Bitwarden WebSocket HTTPS

Install Bitwarden browser plugin

  • Settings
    • API URL = https://<ip address>:<HTTPS>

TODO

  • Get websockets workinghttps://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-WebSocket-notifications