Quadlet Config Share: Vaultwarden
This article is part of the “quadlet config snippets” series. It goes straight to the config and does not cover Quadlet basics. For an introduction, see Podman Tutorial.
Vaultwarden
Vaultwarden is a lightweight Rust implementation of Bitwarden. It uses very little system resources and can run in a single container.
Configuration
Vaultwarden uses SQLite by default, which is enough for personal use. For production, PostgreSQL is recommended.
Option 1: SQLite (Single Container)
For personal use, SQLite is the simplest option. One .container file is enough:
[Container]
Image=docker.io/vaultwarden/server:latest
PublishPort=8080:80
Volume=/path/to/vw-data:/data
Environment=ADMIN_TOKEN=123
AutoUpdate=registry
[Service]
Restart=always
[Install]
WantedBy=default.target- Replace
/path/to/with your own path. - Replace
8080with the port you want to expose. - Replace
123with a strong secret.
Option 2: PostgreSQL (Pod)
For production, PostgreSQL is recommended. Use a Pod to run Vaultwarden and the database together:
# vaultwarden.pod
[Pod]
PublishPort=8080:80
UserNS=keep-id
[Install]
WantedBy=default.target# vaultwarden.container
[Unit]
Requires=vaultwarden-db.service
After=vaultwarden-db.service
[Container]
Image=docker.io/vaultwarden/server:latest
Pod=vaultwarden.pod
Volume=/path/to/vw-data:/data
Environment=DATABASE_URL=postgresql://vaultwarden:[email protected]:5432/vaultwarden ADMIN_TOKEN=123
AutoUpdate=registry
Group=0
User=0
[Service]
Restart=always
[Install]
WantedBy=default.target# vaultwarden-db.container
[Container]
Image=docker.io/library/postgres:17-alpine
Pod=vaultwarden.pod
Volume=/path/to/vw-pgdata:/var/lib/postgresql/data
Environment=POSTGRES_USER=vaultwarden POSTGRES_PASSWORD=vaultwarden POSTGRES_DB=vaultwarden
AutoUpdate=registry
[Service]
Restart=always
[Install]
WantedBy=default.target- Replace
/path/to/with your own path. - Replace
8080with the port you want to expose. - Replace
123with a strong secret.
Start
- Save the files above to
~/.config/containers/systemd/. - Run
systemctl --user daemon-reload. - Start the containers.
- For the single-container setup, run
systemctl --user start vaultwarden. - For the Pod setup, run
systemctl --user start vaultwarden-pod.
- For the single-container setup, run
- Optional: enable auto-update with
systemctl --user enable --now podman-auto-update.timer.
Reverse Proxy
The Pod exposes port 8080. You can reverse proxy it to your domain with Caddy or Nginx. Make sure HTTPS is enabled, because Vaultwarden clients require HTTPS.
Example Caddy config:
vw.example.com {
reverse_proxy 127.0.0.1:8080
}Visit vw.example.com/admin and log in to the admin page with the configured ADMIN_TOKEN.