Heard about the latest password breach (since lunch)? HaveYouBeenPowned yet (today)? Passwords are broken, and as the amount of sites for which you need to store credentials grows exponetially, so does the risk of using a common password.
'Duh, use a password manager', you say. Sure, but be aware that even password managers have security flaws.
A: Bitwarden takes automated nightly backups of the bitwarden-mssql database container in order to protect your stored credentials. For help with manual backups, or help restoring a backup, see Backup your Hosted Data. The command removes all the Kubernetes components associated with the chart and deletes the release. More info on Helm. Head over to cdwv/awesome-helm to learn more about Helm - the Kubernetes package manager. Bitwarden-k8s by CodeWave is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
OK, look smartass.. no software is perfect, and there will always be a risk of your credentials being exposed in ways you didn't intend. You can at least minimize the impact of such exposure by using a password manager to store unique credentials per-site. While 1Password is king of the commercial password manager, BitWarden is king of the open-source, self-hosted password manager.
Enter Bitwarden..
Bitwarden Kubernetes
Bitwarden is a free and open source password management solution for individuals, teams, and business organizations. While Bitwarden does offer a paid / hosted version, the free version comes with the following (better than any other free password manager!):
- Access & install all Bitwarden apps
- Sync all of your devices, no limits!
- Store unlimited items in your vault
- Logins, secure notes, credit cards, & identities
- Two-step authentication (2FA)
- Secure password generator
- Self-host on your own server (optional)
Ingredients¶
Ingredients
Already deployed:
- Docker swarm cluster with persistent shared storage
- Traefik configured per design
- DNS entry for the hostname you intend to use (or a wildcard), pointed to your keepalived IP
Related:
- Traefik Forward Auth to secure your Traefik-exposed services with an additional layer of authentication
Preparation¶
Setup data locations¶
We'll need to create a directory to bind-mount into our container, so create
/var/data/bitwarden
:Setup environment¶
Create
/var/data/config/bitwarden/bitwarden.env
, and leave it empty for now.Question
What, why an empty env file? Well, the container supports lots of customizations via environment variables, for things like toggling self-registration, 2FA, etc. These are too complex to go into for this recipe, but readers are recommended to review the dani-garcia/bitwarden_rs wiki, and customize their installation to suite.
Setup Docker Swarm¶
Create a docker swarm config file in docker-compose syntax (v3), something like this:
Tip
I automatically and instantly share (with my sponsors) a private 'premix' git repository, which includes necessary docker-compose and env files for all published recipes. This means that sponsors can launch any recipe with just a
git pull
and a docker stack deploy
?. ? Update: Premix now includes an ansible playbook, so that sponsors can deploy an entire stack + recipes, with a single ansible command! (more here)
![Bitwarden Bitwarden](/uploads/1/3/7/2/137272661/900102429.jpg)
Note
Note the clever use of two Traefik frontends to expose the notifications hub on port 3012. Thanks @gkoerk!
Serving¶
Launch Bitwarden stack¶
Launch the Bitwarden stack by running
docker stack deploy bitwarden -c <path -to-docker-compose.yml>
Browse to your new instance at https://YOUR-FQDN, and create a new user account and master password (Just click the **Create Account* button without filling in your email address or master password*)
Get the apps / extensions¶
Once you've created your account, jump over to https://bitwarden.com/#download and download the apps for your mobile and browser, and start adding your logins!
Chef's notes ?¶
- You'll notice we're not using the official container images (all 6 of them required!), but rather a more lightweight version ideal for self-hosting. All of the elements are contained within a single container, and SQLite is used for the database backend. ↩
- As mentioned above, readers should refer to the dani-garcia/bitwarden_rs wiki for details on customizing the behaviour of Bitwarden. ↩
- The inclusion of Bitwarden was due to the efforts of @gkoerk in our Discord server- Thanks Gerry! ↩
Tip your waiter (sponsor) ?¶
Did you receive excellent service? Want to make your waiter happy? (..and support development of current and future recipes!) Sponsor me on Github / Patreon, or see the contribute page for more (free or paid) ways to say thank you! ?
Flirt with waiter (subscribe) ?¶
Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated. (*double-opt-in, no monkey business, no spam)
Your comments? ?¶
Last update: February 4, 2021
This article is part of the series Build your very own self-hosting platform with Raspberry Pi and Kubernetes
- Deploy NextCloud on Kuberbetes: The self-hosted Dropbox
Introduction
Now we have prepared our RaspberryPi cluster to receive Kubernetes as a self-hosting platform, it's time to start installing applications !
NextCloud is an file hosting open-source software similar to Dropbox. Unlike Dropbox, NextCloud is not available as a SaaS but only on-premise which means anyone is allowed to install and operate it on their own private server. NextCloud offers individuals and organisations to gain control over their private data with a safe and secure solutions. NextCloud also provides a long list of add-ons working alongside the file sharing solution such as: Calendar & Contacts management, Audio/Video conferencing, Task Management, Photos albums and more.
In this article we will learn how to safely install NextCloud on a Kubernetes environment and configure both Desktop and Mobile access from anywhere.
Prerequisite
In order to run entirely the tutorial, we will need:
- A running Kubernetes cluster (see previous articles if you haven't set this up yet)
- A domain name in order to access our NextCloud instance from outside our network. (replace
by your domain) - Have a external static IP (usually the case by default)
- Access to your router admin console to port-forward an incoming request to our Kubernetes Ingress service.
Namespace
We are going to isolate all the Kubernetes objects related to NextCloud in the namespace
nextcloud
.To create a namespace, run the following command:
Persistence
Bitwarden Kubernetes Secrets
The first step consists in setting up a volume to store our NextCloud data (files and database). If you followed the previous articles to install and configure a self-hosting platform using RaspberryPi and Kubernetes, you remember we have on each worker a NFS client pointing to a SSD on
/mnt/ssd
.1. Deploy the Persistent Volume (PV)
The Persistent Volume specify the name, the size, the location and the access modes of the volume:
- The name of the PV is
nextcloud-ssd
- The size allocated is 50GB
- The location is
/mnt/ssd/nextcloud
- The access is ReadWriteOnce
Create the following file and apply it to the k8 cluster.
You can verify the PV exists with the following command:
2. Create the Persistent Volume Claim (PVC)
The Persistent Volume Claim is used to map a Persistent Volume to a deployment or stateful set. Unlike the PV, the PVC belongs to a namespace.
Create the following file and apply it to the k8 cluster.
You can verify the PVC exists with the following command:
Deployment
In the next part, we are now going to deploy NextCloud using the stable/nextcloud Helm chart.
1. Download the Chart values of the chart locally
Run the following command to download the Chart values into the local file
nextcloud.values.yml
.If you open the file, you will see the default configuration values to setup NextCloud. Instead of using the flag
--set property=value
like before, we will use the file nextcloud.values.yml
to make all the changes.2. Update the values
We now need to update a few properties before installing the Helm chart. Open the file with your information ).
nextcloud.values.yml
and change the following properties (replace the information surrounded by Take a look at the file if you want to make more customisation to NextCloud:
- Configure emails
- Configure an external database or deploy a MariaDB as part of the Chart (improve performance)
- Configure Redis server (improve performance)
3. Install the Chart
Bitwarden Kubernetes Service
In the part, we will install the Helm chart under the namespace
nextcloud
with nextcloud.values.yml
as configuration file.After a couple of minutes, check if the pod and service is up and running:
4. Debugging
You can check the logs with the following command:
Otherwise check the folder
/mnt/ssd/nextcloud/data/nextcloud.log
.Outside access
This step is configured before the ingress in order to be able to issue a certificate automatically when we deploy the ingress
The next part consist to enable the connections to NextCloud from outside so you can access your data from anywhere.
1. Port Forwarding
First you need to go to your router setup and add a port-forwarding rule to map any incoming requests on port 80 or port 443 to be forwarded to
192.168.0.240
(the LoadBalancer IP of the Nginx).VirginHub - Port-Forwarding
2. Map the subdomain
nextcloud.<domain.com>
to your home routerFirst you need to find out what's your router external IP, run this command or go to whatismyip.com.
Then, we need to configure our subdomain to make sure
nextcloud.<domain.com>
resolves to our external static IP. Go to your domain provider console / DNS management add a record:- Type: A
- Name: nextcloud (subdomain)
- Value: x.x.x.x (external satic IP)
GoDaddy
Ingress
At this point, the application (pod
nextcloud-78f5564f89-854jr
) is only accessible within the cluster on port 8080. To make it accessible from outside the cluster (on our network), we need to deploy an Ingress mapping service:port to a route of the Nginx proxy.Because, this route will also be exposed over the Internet, we will also issue a certificate to encrypt the traffic with SSL.
1. Create the ingress config file
Create the file
nextcloud.ingress.yml
containing:Bitwarden Self Hosted Kubernetes
2. Deploy the Ingress
Now deploy the ingress:
Bitwarden Kubernetes For Dummies
3. Check the certificate issuance
After you deployed the ingress, a certificate should be issued, check the
certificaterequest
and certificate
(it might take a couple of minutes to be READY):Conclusion
Alright, still with me :) You can now try to access your NextCloud instance using your browser, mobile or the Android/iOS app from home or outside via '>https://nextcloud..
Connect with the user admin and the password configured in the file
nextcloud.values.yml
.You can also download the Android or iOS app and access you data, sync automatically your photos and more.
- Kauri original title: (4/8) Deploy NextCloud on Kuberbetes The self-hosted Dropbox
- Kauri original link: https://kauri.io/48-deploy-nextcloud-on-kuberbetes-the-selfhosted-d/f958350b22794419b09fc34c7284b02e/a
- Kauri original author: Grégoire Jeanmart (@gregjeanmart)
- Kauri original Publication date: 2020-03-31
- Kauri original tags: self-hosting, nextcloud, kubernetes, dropbox, open-source, file-hosting, helm
- Kauri original hash: QmaKwvWjA1eTYcnE4o1gwTFvpWkegaYZZ8JRzJhzXjEyiK
- Kauri original checkpoint: unknown