Skip to content

johannmx/vaultwarden_backup

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

158 Commits
.github/workflows
.github/workflows
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
entrypoint.sh
entrypoint.sh
 
 
script.sh
script.sh
 
 

Repository files navigation

💾 Vaultwarden Backup

A robust backup solution for Vaultwarden with support for multiple notification services (Gotify, Slack, Discord). This tool automatically backs up your Vaultwarden data and provides notifications about backup status.

🚀 Features

  • Automatic scheduled backups using cron
  • Hot Backup Support: Uses sqlite3 .backup to ensure database consistency even while Vaultwarden is running.
  • Multiple notification services support via Apprise:
    • Gotify
    • Slack
    • Discord
  • Configurable backup retention with automatic cleanup
  • Security hardened containers with non-root user execution
  • Multi-architecture support: Optimized for amd64, arm64, and arm/v7
  • Timezone configuration for accurate scheduling
  • Detailed logging: Real-time logs available via Docker stdout
  • Easy deployment with Docker Compose and environment variables

📦 Backed Up Files

The following files and directories are backed up:

  • db_backup.sqlite3 - Consistent snapshot of the database
  • config.json - Configuration file
  • rsa_key* - RSA key files
  • /attachments - User attachments
  • /sends - Send items

🛠️ Usage

Quick Start

  1. Copy the environment template:
cp .env.example .env
  1. Edit the .env file with your configuration:
# Core settings
DOMAIN=http://localhost:8088
ADMIN_TOKEN=your-secure-admin-token-here

# Security
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=true

# Paths (relative to docker-compose.yml)
VAULTWARDEN_DATA_PATH=./data
BACKUP_DATA_PATH=./backups

# Backup settings
BACKUP_DELETE_AFTER=30
BACKUP_CRON_TIME=0 2 * * *

# Notifications
GOTIFY_TOKEN=your_token
GOTIFY_SERVER=your_server
SLACK_WEBHOOK=your_webhook
DISCORD_WEBHOOK_ID=your_id
DISCORD_WEBHOOK_TOKEN=your_token
  1. Start the services:
# Basic setup (Vaultwarden + Backup)
docker-compose up -d

# With auto-updates enabled
docker-compose --profile watchtower up -d
  1. Verify everything is running:
docker-compose ps
docker-compose logs -f

Advanced Usage

Manual Backup

docker-compose run --rm backup manual

View Logs

# All services
docker-compose logs -f

# Specific service
docker-compose logs -f vaultwarden
docker-compose logs -f backup

Update Services

# Pull latest images
docker-compose pull

# Restart with new images
docker-compose up -d

Backup Management

# List current backups
ls -la ./backups/

# Restore from backup (example)
docker-compose down
tar -Jxf ./backups/2024-01-15_02-00-00.tar.xz -C ./data/
docker-compose up -d

⚙️ Configuration

Environment Variables

Core Vaultwarden Settings

Variable Description Default Example
DOMAIN Public domain for Vaultwarden http://localhost:8088 https://vault.example.com
ADMIN_TOKEN Admin panel access token - secure-random-token
SIGNUPS_ALLOWED Allow new user registrations false true
INVITATIONS_ALLOWED Allow user invitations true false
WEB_VAULT_ENABLED Enable web vault interface true false

Security & Performance

Variable Description Default Example
SHOW_PASSWORD_HINT Show password hints false true
DATABASE_MAX_CONNS Max database connections 10 20
LOGIN_RATELIMIT_SECONDS Rate limit window 60 120
LOGIN_RATELIMIT_MAX_BURST Max login attempts 10 5
ATTACHMENT_LIMIT Max attachment size (KB) 10240 20480
SEND_LIMIT Max send size (KB) 1048576 2097152

Network & Ports

Variable Description Default Example
VAULTWARDEN_PORT Main HTTP port 8088 8080
WEBSOCKET_PORT WebSocket port 3012 3013

Data Paths

Variable Description Default Example
VAULTWARDEN_DATA_PATH Vaultwarden data directory ./data /opt/vaultwarden/data
BACKUP_DATA_PATH Backup storage directory ./backups /opt/backups

Email Configuration (Optional)

Variable Description Default Example
SMTP_HOST SMTP server hostname - smtp.gmail.com
SMTP_FROM From email address - vault@example.com
SMTP_PORT SMTP server port 587 465
SMTP_SECURITY SMTP security method starttls force_tls
SMTP_USERNAME SMTP username - user@example.com
SMTP_PASSWORD SMTP password - app-password

Backup Settings

Variable Description Default Example
BACKUP_DELETE_AFTER Days to keep backups 30 7
BACKUP_CRON_TIME Backup schedule (cron) 0 2 * * * 0 3 * * 0
BACKUP_UID Backup process user ID 1000 1001
BACKUP_GID Backup process group ID 1000 1001
TZ Timezone America/Argentina/Buenos_Aires Europe/London

Logging

Variable Description Default Example
LOG_LEVEL Vaultwarden log level warn info
EXTENDED_LOGGING Enable extended logging true false

Notification Services

Variable Description Required Example
GOTIFY_TOKEN Gotify application token No AbCdEf123456
GOTIFY_SERVER Gotify server URL No https://gotify.example.com
SLACK_WEBHOOK Slack webhook URL No https://hooks.slack.com/...
DISCORD_WEBHOOK_ID Discord webhook ID No 123456789
DISCORD_WEBHOOK_TOKEN Discord webhook token No webhook-token

Docker Compose Profiles

The docker-compose.yml includes optional services that can be enabled using profiles:

Watchtower (Auto-updates)

# Enable automatic container updates
docker-compose --profile watchtower up -d

Watchtower will:

  • Check for image updates daily
  • Automatically update containers with the watchtower.enable=true label
  • Send notifications via Gotify when updates occur
  • Clean up old images after updates

Volumes

Path Description Permissions Configurable Via
/data Vaultwarden data directory Read-only (backup) VAULTWARDEN_DATA_PATH
/backups Backup storage location Read/Write BACKUP_DATA_PATH
/etc/localtime Host timezone Read-only System mount

Security Features

The improved docker-compose includes several security hardening measures:

  • No new privileges: Containers cannot escalate privileges
  • Capability dropping: Removes unnecessary Linux capabilities
  • Non-root execution: Services run as non-root users (app:app)
  • Read-only mounts: Data volumes mounted read-only where possible
  • Apprise integration: Secure notifications via standard webhooks
  • Minimal attack surface: Alpine-based image with essential dependencies only

🔧 Building

Multi-architecture Build

The Docker image supports amd64, arm64, and arm/v7 architectures.

# Create buildx builder
docker buildx create --name mybuilder --use

# Build for multiple platforms
docker buildx build -t your-registry/vaultwarden_backup:latest \
  --platform linux/amd64,linux/arm64,linux/arm/v7 \
  --push .

🔍 Troubleshooting

Common Issues

  1. Permission Denied

    • The backup process runs as user app (UID 1000). Ensure the backup volume is writable by this user.
    • Check volume permissions on the host.

  2. Timezone Issues

    • Mount /etc/localtime or set the TZ environment variable.

  3. Backup Failures

    • Check disk space.
    • Verify that Vaultwarden data is correctly mounted to /data.

Logs

  • Docker stdout (recommended): docker-compose logs -f backup
  • Internal backup logs: /app/log/backup.log

📚 Resources

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Backs up vaultwarden files and directories automatically (docker container) with notifications (AppRise intregration)

hub.docker.com/r/johannmx/vaultwarden_backup

Topics

docker bitwarden gotify apprise vaultwarden vaultwarden-backup vaultwarden-docker

Resources

Readme
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Shell 82.1%
  • Dockerfile 17.9%