Quick Start

Your first sovereign service — from bare metal to a password manager you actually own

Forget the generic "deploy nginx" tutorial. You're here because you want to own your infrastructure. Let's start with something that matters: getting your passwords off someone else's cloud.

By the end of this guide, you'll have Vaultwarden running on your own hardware, behind a reverse proxy, with TLS. That's not a toy — that's a real service replacing a real dependency.

What you need

  • A machine running Linux. Debian or Ubuntu is simplest. An old laptop, a mini PC, a Proxmox VM — any of these work. If you're already running Proxmox, spin up an LXC container.
  • Docker and Docker Compose. If you don't have these yet:
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER

Log out and back in for the group change.

  • A domain name pointing to your server's IP (for TLS). If you don't have one yet, you can start without it — Vaultwarden works over HTTP on your local network.

Step 1: Create the project structure 

mkdir -p ~/services/vaultwarden
cd ~/services/vaultwarden

I keep every service in its own directory under ~/services/. 25+ containers, each with its own compose file, its own data volume, its own log context. Don't dump everything into one monolith compose file — you'll regret it at 3am when you need to restart one service without touching the others.

Step 2: Write the compose file 

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=${ADMIN_TOKEN}
    volumes:
      - ./data:/data
    ports:
      - "8080:80"

Create a .env file next to it:

# Generate a secure admin token
ADMIN_TOKEN=$(openssl rand -base64 48)
echo "ADMIN_TOKEN=$ADMIN_TOKEN" > .env
echo "Save this token somewhere safe. You need it to access /admin."
cat .env

Step 3: Launch it 

docker compose up -d

That's it. Vaultwarden is running on port 8080. Hit http://your-server-ip:8080 in a browser. Create your account, then immediately set SIGNUPS_ALLOWED=false in the compose file and restart — you don't want open registration.

Step 4: Import your passwords

Export from whatever you're using now (LastPass, 1Password, Chrome, Firefox — they all have export options). Import into Vaultwarden through the web vault. Install the Bitwarden browser extension and mobile app, point them at your server URL. Done.

Your passwords now live on your metal. No one else has access. No breach notification emails. No surprise terms-of-service changes.

What's next

This is one service. The pattern is the same for everything else:

  1. Create a directory
  2. Write a compose file
  3. Deploy
  4. Configure

Once you have a few services running, you'll want a reverse proxy in front of them so you can access them by name instead of port number, with proper TLS certificates. That's where Traefik + Crowdsec comes in.

For the full picture of what a mature self-hosted stack looks like — 25+ services, organized, monitored, secured — see The Stack.

The day you migrate off a centralized password manager feels like something. That feeling is sovereignty. Keep going.