VaultWarden is a lightweight, open-source Bitwarden server. Deploying it on Docker with Portainer and securing it via Nginx Proxy Manager ensures easy access, security, and maintenance for your password manager. While MariaDB isn’t officially supported instead of SQLite, experienced users can try it. This guide explains the full Docker setup.
Prerequisites
- Docker & Portainer installed and running.
- Nginx Proxy Manager installed (as a Docker container).
- A domain or subdomain (e.g.,
vault.yourdomain.com) pointed to your server’s IP. - Open TCP ports 80, 443 on your server.
- Again: For stables, production setups, use SQLite/Postgres/MySQL 8.
Step 1: Create VaultWarden + MariaDB Stack in Portainer
1.1 Access Portainer
Visit http://YOUR.SERVER.IP:9000 and log in.
1.2 Add a New Stack
- Go to Stacks > + Add stack.
- Name it, e.g.,
vaultwarden-mariadb.
1.3 Paste in the Stack YAML (docker-compose format)
version: '3.8'
services:
mariadb:
image: mariadb:11.4
container_name: vaultwarden-mariadb
restart: unless-stopped
environment:
- MARIADB_DATABASE=vaultwarden
- MARIADB_USER=vaultwarden
- MARIADB_PASSWORD=supersecurepassword
- MARIADB_ROOT_PASSWORD=superrootpassword
volumes:
- vw-mariadb-data:/var/lib/mysql
networks:
- vw-net
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
depends_on:
- mariadb
environment:
- DATABASE_URL=mysql://vaultwarden:supersecurepassword@mariadb:3306/vaultwarden
- ADMIN_TOKEN=use_a_long_random_string
volumes:
- vaultwarden-data:/data
networks:
- vw-net
# Don't map ports, will use NPM
volumes:
vw-mariadb-data:
vaultwarden-data:
networks:
vw-net:
driver: bridgeNotes:
- Change passwords and
ADMIN_TOKENto secure values. - By default, no port is mapped; Nginx Proxy Manager will forward traffic via Docker networking.
1.4 Deploy the Stack
Click “Deploy the stack” and wait for containers to start.
Step 2: Connect Nginx Proxy Manager to the Docker Network (if needed)
To allow NPM to forward by container name, attach NPM to the same Docker network.
Assume your NPM container is named nginx-app-1:
You can do this using Portainer UI (Containers > nginx-app-1 > Networks > Join network > select vw-net),
or via CLI:
docker network connect vw-net nginx-app-1Step 3: Add a Proxy Host in Nginx Proxy Manager
- Go to NPM UI:
http://YOUR.SERVER.IP:81 - Proxy Hosts > Add Proxy Host
- Settings:
- Domain Names:
vault.yourdomain.com - Scheme:
http - Forward Hostname/IP:
vaultwarden - Forward Port:
80 - Block Common Exploits: Checked
- Domain Names:
- SSL Tab:
- Enable SSL: Yes
- Force SSL: Yes
- Request a new SSL Certificate: Use your email and agree to TOS
- Save
Step 4: Access Vaultwarden
- In your browser, go to
https://vault.yourdomain.com - You should see the VaultWarden login screen.
- If you want to access the admin panel:
https://vault.yourdomain.com/admin
(use theADMIN_TOKENyou set)
Troubleshooting
- 502 Gateway Error: Verify NPM is on the same network and forwarding to the right container name and port.
- Database Errors: If you see “unsupported backend” or MariaDB-related errors, this is a sign MariaDB isn’t compatible.
Try with MySQL 8 or switch to SQLite for production use. - SSL Issues: Make sure DNS is correct and ports 80/443 are open.
Security & Production Warnings
- MariaDB is not supported by Vaultwarden, even if it appears to work at first. Use MySQL 8 or SQLite/PostgreSQL instead.
- Back up your
/dataand database volumes regularly. - Always use a strong
ADMIN_TOKEN.
Conclusion
You’ve now deployed Vaultwarden in Docker using Portainer, experimented with MariaDB as a backend, and secured your setup using Nginx Proxy Manager! For mission-critical password management, please consider using SQLite, MySQL 8, or PostgreSQL.
Happy Self-Hosting! Have questions? Drop them below.
Further Reading:
- VaultWarden Database Support
- VaultWarden Environment Variables
- Nginx Proxy Manager Docs
- Portainer Docs
Tags: VaultWarden, docker, portainer, MariaDB, nginx proxy manager, self-host, Bitwarden alternative, tutorial
Leave a Reply