From d8fe90dc3ec3cf2dc4b15a64194e23f4a5774013 Mon Sep 17 00:00:00 2001 From: baldnerd Date: Sat, 12 Jul 2025 17:37:48 +0000 Subject: [PATCH] Revisions - Replace installation section with a Getting Started, which helps clarify the activation process. - Clarify security notes with a new section, also including info about Let's Encrypt. - Add info about backup recommendations. --- README.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index f42e026..3880a0f 100644 --- a/README.md +++ b/README.md @@ -25,18 +25,60 @@ It does **not** validate your environment or attempt to preserve existing config --- -## 🚀 Installation -On a fresh Debian 12 system, clone the password-manager repository and then run: +## 🚀 Getting Started -```bash -./installer.sh -``` +1. Deploy this appliance on a fresh **Debian 12** machine (VM or bare-metal). +2. Run: + ```bash + ./installer.sh + ``` +3. Once complete, open a browser and visit: -After installation: -- Access the appliance at `http:///` -- Go to `/activate` to complete first-time configuration -- After submitting the form, Vaultwarden will use your custom settings + ``` + https:///activate + ``` + + DO NOT omit this step. Doing so would be an extreme security risk. +4. Copy the admin token provided and store it somewhere safe. +5. Visit: + + ``` + https:///admin + ``` + + to begin using the Vaultwarden admin interface. +5. Visit: + + ``` + https:/// + ``` + + to begin using Vaultwarden. + +--- + +## 🔐 Security Notes + +- This appliance uses **self-signed SSL certificates** by default. If hosting on a domain, Let's Encrypt `certbot` is included. You can run `certbot --nginx` to obtain and install HTTPS certificates automatically. Make sure your domain points to this server before running the command. +- Accessing the web interface **requires HTTPS** — HTTP requests are automatically redirected. +- The **admin token is hashed using Argon2ID** and cannot be retrieved later. If lost, delete `/opt/vaultwarden/.setup-complete` to regenerate using `/activate`. +- Ensure you complete `/activate` immediately after setup to prevent unauthorized configuration. + +--- + +## 💾 Backup Recommendations + +To safely back up your Vaultwarden appliance, include the following: + +- `/opt/vaultwarden/` — Vaultwarden binary, `web-vault`, and persistent config. +- `/var/lib/vaultwarden/` — Environment file (`.env.user`) and state flag (`.setup-complete`). +- **Database backup:** Use `mysqldump` to regularly export the `vaultwarden` database, and then backup that file to your backup set. Example dump: + ```bash + mysqldump vaultwarden > /root/vaultwarden-backup.sql + ``` + +Backups should be performed routinely and securely stored. ---