From 27ca93d12f878ebdd4a238d882ce05efe09dc8cb Mon Sep 17 00:00:00 2001 From: Erwan Colin Date: Wed, 15 Oct 2025 15:42:06 +0200 Subject: [PATCH] Updated Using Podman (markdown) --- Using-Podman.md | 146 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 145 insertions(+), 1 deletion(-) diff --git a/Using-Podman.md b/Using-Podman.md index 1ad032f..8602e4a 100644 --- a/Using-Podman.md +++ b/Using-Podman.md @@ -137,4 +137,148 @@ If you want the container to have a specific name, you might need to add `ExecSt If the host goes down or the container crashes, the systemd service file should automatically stop the existing container and spin it up again. We can find the error through `journalctl -u container-vaultwarden -t 100`. -Most of the time the errors we see can be fixed by simply upping the timeout in Podman command in the service file. \ No newline at end of file +Most of the time the errors we see can be fixed by simply upping the timeout in Podman command in the service file. + +## Full use of quadlet files for Vaultwarden and database + +The application and the PostgreSQL database are containerised and placed in a pod. The application uses its own network via the Podman network functionality. Persistent volumes are used for database data and for Vaultwarden application data. Secrets used by the deployment containers are managed by the Podman secret functionality. + +```mermaid +flowchart TD + A(vaultwarden.network) --- B(vaultwarden.pod) + B --- C(vaultwarden-app.container) + B --- D(vaultwarden-db.container) + C --- G[/env_file=/etc/vaultwarden/config/] + C --- E[(vaultwarden-app.volume)] + D --- F[(vaultwarden-db.volume)] + D --- H[/env_file=/home/vaultwarden/vaultwarden/vaultwarden-db.env/] + C --- I{{podman-secret: database_url, admin_token}} + D --- J{{podman-secret: postgres_password}} + style A fill:#ffec99 + style B fill:#ffc9c9 + style C fill:#b2f2bb + style D fill:#b2f2bb + style E fill:#a5d8ff + style F fill:#a5d8ff + style G fill:#f08c00 + style H fill:#f08c00 + style I fill:#d0bfff + style J fill:#d0bfff +``` + +This infrastructure is defined using these quadlet files: + +- vaultwarden-app.container +- vaultwarden-app.volume +- vaultwarden-db.container +- vaultwarden-db.volume +- vaultwarden.network +- vaultwarden.pod + +### Definition of the Pod + +Create the file `~/.config/containers/systemd/vaultwarden.pod: + +```systemd +[Pod] +PodName=vaultwarden +Network=vaultwarden.network +PublishPort=8080:8080 +``` + +### Definition of the network + + +Create the file `~/.config/containers/systemd/vaultwarden.network: + +```systemd +[Network] +NetworkName=vaultwarden +Gateway=192.168.220.1 +Subnet=192.168.220.0/24 +``` + +### Definition of the persistent volumes + +Create the file `~/.config/containers/systemd/vaultwarden-app.volume`: + +```systemd +[Volume] +VolumeName=vaultwarden-app +``` + +and the file `~/.config/containers/systemd/vaultwarden-db.volume`: + +```systemd +[Volume] +VolumeName=vaultwarden-db +``` + +### Definition of the containers + +Create the file `~/.config/containers/systemd/vaultwarden-app.container`: + +```systemd +[Container] +ContainerName=vaultwarden-app +EnvironmentFile=/etc/vaultwarden/config +HealthCmd=/healthcheck.sh +HealthInterval=120s +HealthRetries=10 +HealthTimeout=45s +Image=docker.io/vaultwarden/server:1.34.3 +Pod=vaultwarden.pod +Secret=database_url,type=env,target=DATABASE_URL +Secret=admin_token,type=env,target=ADMIN_TOKEN +Volume=vaultwarden-app.volume:/data +[Unit] +Requires=vaultwarden-db.service +After=vaultwarden-db.service + +[Install] +WantedBy=default.target +``` + +and the file `~/.config/containers/systemd/vaultwarden-db.container`: + +```systemd +[Container] +ContainerName=vaultwarden-db +EnvironmentFile=/home/vaultwarden/vaultwarden/vaultwarden-db.env +HealthCmd=/usr/bin/pg_isready -q -d vaultwarden -U vaultwarden +HealthInterval=120s +HealthRetries=10 +HealthTimeout=45s +Image=docker.io/library/postgres:17 +Pod=vaultwarden.pod +Secret=postgres_password,type=env,target=POSTGRES_PASSWORD +Volume=vaultwarden-db.volume:/var/lib/postgresql/data + +[Install] +WantedBy=default.target +``` + +### Configuration + +Configuration is done using the environment file `/etc/vaultwarden/config` and `~/vaultwarden/vaultwarden-db.env`. + +In the `~/vaultwarden/vaultwarden-db.env` file set the vars `POSTGRES_USER` and `POSTGRES_DB` + +### Secrets + +You need to define the secrets `postgres_password`, `database_url` and `admin_token` : + +I assume that POSTGRES_USER=vaultwarden and POSTGRES_DB=vaultwarden + +```bash +openssl rand -base64 32|podman secret create postgres_password - +echo "postgres://vaultwarden:$(podman secret inspect --showsecret --format '{{.SecretData}}' postgres_password)@vaultwarden-db/vaultwarden"|podman secret create database_url - +echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4|podman secret create admin_token - +``` + +### Deploy + +```bash +systemctl --user daemon-reload +systemctl --user start vaultwarden-pod.service +``` \ No newline at end of file