UPDATE: added browser extension shortcut section on the bottom
UPDATE 30/04/2021 - added new link to a fresh image that this article uses (https://hub.docker.com/r/vaultwarden/server)
UPDATE: 20/4/2021 - added docker-compose code as an alternative to using Synology Docker UI

version: "3.5"
services:
  bw:
    image: vaultwarden/server
    network_mode: "bridge"
    container_name: "bw"
    ports:
      -  "80:80"
      -  "3012:3012"
    volumes:
      -  "/volume2/bitwarden:/data"
    environment:
      - "SMTP_PASSWORD=password" #add SMTP_XXXX variables to allow public user managment (account reset etc)
      - "SMTP_USERNAME=username"
      - "SMTP_SSL=true"
      - "SMTP_PORT=587"
      - "SMTP_FROM=from_email"
      - "SMTP_HOST=smtp.gmail.com"
      - "DOMAIN=https://yourdomain.com" #add your public domain name
      - "TZ=Europe/Paris"
      - "WEBSOCKET_ENABLED=true" #Enable this if you want to use the LiveSync feature on port 3012
      - "SIGNUPS_ALLOWED=false" #true or false if you want to enable or disable public signups
      - "ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #add custom string for logging into the admin UI
    restart: always

In this post, I will focus on running a self-hosted alternative to some commercial solutions out there, like 1Password for example. Nowadays when privacy is at its peak having your personal accounts, passwords, credit cards, etc, in some "cloud" could be an issue for some.

So let's see if BitWarden can be a solution for you. You can self-host it or run your account from BW "cloud" as well.

Let's start.

1st thing - install Docker via Package center or if your NAS doesn't support it, install it manually by downloading the package from Syno site. After that, you can use the Manual install button in Package Center to install Docker. Keep in mind that this is not 100% supported and some features of docker will still not function. If your NAS is from the '+' lineup, then you are good to go.

This tutorial will focus on a custom vaultwarden/server image that I use as well. Its updated and maintained all the time so there is no need to worry. Support for it can be reached on their Matrix chat channel if needed.

After you have installed Docker open it up and you will land on a similar screen:

Docker image pull from hub.docker.com

Switch over to the Registry tab and use the search field to type in bitwarden. After a few seconds, you should get a list similar to this one.

As you can see vaultwarden/server is the top result for me, if that's not the case with you just find it manually. Select it and hit the download button. A pop-up window will show up asking you what version you want. Select latest and click ok.

Now wait for the image to download and DSM will notify you when its ready via a system notification.

As soon as that's done, switch over to the Image tab inside Docker. You should see bitwarden image in the list:

This is an old image. Since then this image has been deprecated. Use the one from the begging

Now that the image has download click on it and press the Launch button on the top.

This action will start the Container creation wizard. So remember, an image creates a container and you can create multiple containers from a single image if you need to. The 1st step in this wizard looks like this:

Container creation wizard

Give the container a name, enable resource limit (optional, but I like to use it to control how much ram and CPU priority container needs) and then click the Advanced Settings button (not Next). As it's shown on the image I gave BW container only 50MB of RAM as maximum (it's not gonna use that much anyway) just to be on the safe side. docker has a great benefit in that it can limit resources so that a buggy image/container will not take all of your NAS resources in case there is a memory leak or some nasty bug in the image itself.

Opening the Advanced settings window will show up multiple tabs that need to be configured (not all and not for every container):

All custom docker settings that can be set using the UI

The Auto-restart feature is nice to have ON in case you need to reboot your NAS or Docker for that matter and want all your containers booting automatically. Ofc this is an optional setting but still. Regarding shortcuts on the desktop, personally, I don't use them. Desktop in this context is DSM desktop, not your computer desktop. I use Heimdall for all my docker URL needs so this option is OFF (again, you can use it if you choose to do so).

Moving to the 2nd tab, Volume. Now, this is the most important thing that needs to be done when working with containers. Read up on those so that I don't start messing with this tutorial too much, but in short, it means this. If you start working with your container, all information, configuration, data, etc, are sandboxed inside the container. This means that after you restart your container (reboot, NAS update, Docker update, docker image update) it will reset itself to initial settings. As a result, all your work will be reset and gone.

That means that in the case of BW, all your imported data, long random passwords that you have defined are gone! Now that you have understood the importance of this let's configure an outside volume that will keep your data safe from this scenario.

Container volume mapping

The Volume tab is used to map files or folders from within the container outside to your local shared folder(s) on your NAS. As a result, even if something happens to the container your data will be safe and all you have to do is recreate the container and attach it to the same volume to get access to your data. That's the whole beauty of Docker. Moving your data around regardless of what's hosting your container.

In the image above I have mapped the left side (your NAS folder structure) to the right side (container mount path). The principal is the same. The left side is your local NAS destination where you want containers folder data stored.

In the case of this BitWarden image, all data is stored in /data folder as indicated by instructions on the image web page. So to recap, I have mapped docker/bitwarden local path (bitwarden is a subfolder of /docker folder that you will get after you install Docker. Ofc you don't have to use that destination if you don't want to) to /data folder that BW image is using. This, as a result, will mean that all my data will actually be in docker/bitwarden folder on my nas and not sandboxed in the container itself.

You can (and preferred to do so) backup those folders as they are essential unlike the rest of the container that's expendable.

Moving over to 3rd tab - Network. Here you can select networks that you want your container to use. You can make new networks for specific subnets or you can use the default one, bridge. In the spirit of this tutorial just use the bridge. This will mean that all containers using this network will be essentially in a NAT configuration with your NAS. Meaning you will access those apps and services using your local NAS IP address and a custom port defined on the following tab, Port Settings.

Container port mappings

Same as with volumes, ports are configured the same way. Left side local host ports (on your NAS), right side container ports. DO NOT change the container side numbers, or you will have problems running the container in the 1st place. It can be reconfigured but you will have to do it on the image level, so not important for now. Another reason why this is not needed is that you can use almost any port for Local port value that you want.

So change auto value to a port of your choosing. The general rule would be to use some non-system/default port like 1024 or above. Keep in mind that if you want to access your Docker containers with a custom domain name on an HTTPS/443 port, this is not the place to do it (separate tutorial for that). Atm you want to stick with a custom number (it can be the same as the container one) to get things going.

My example would be 1024 and 1025 for the pair.

The next tab, Links, is not needed for this container to run. So moving to the last one, Environment.

Even though for this particular container even this tab is not needed, there will be a huge number of images that use this section.

Container environment variables

Most variables are case sensitive so be aware of that. In this example, the image has already a number of variables set for us and there is no need to configure any additional. Keep your eye on the image page that you are about to use for any -e switches as that's the env variable that needs to be configured, added or changed to your needs.

UPDATE:

If you do not want to keep signups open to the public (lets say you are running this site on the internet) then be sure to use this variable to keep sigunps closed after your initial creation!

SIGNUPS_ALLOWED=false

This variable is added in the ui the way that SIGNUPS_ALLOWED is typed in "variable" column and false in the "value". Do not use the = sign.

One more thing that might come in handy is using the admin BW page. To get access to it follow these steps below

Another addition is that you can access your BW admin page by using the following variable:

ADMIN_TOKEN=xxxxxxx

Make sure to generate a long random "key" that you will use as a value for this variable as well as a password to actually log into the admin area.

To access your BW admin page use the following URL:

https://yourBWurl/admin

In order to protect it using a reverse proxy, add this to your RP entry to make the admin page unaccessible via the public URL:

location /admin {
return 404;
}

Of course, you can use your local ip address to access your BW admin page and make any administration needed.


Now that we have gone through all the advanced settings, click Apply and you will close this window. Back in the main window, click Next, review the Summary, and click Apply.

Container creation summary

If you have left the check box next to Run this container after the wizard is finished checked, your container will now be created and started. To verify that all is running well, move to the Container tab in Docker main window to find BW container up and running.

BitWarden running via Docker UI

That's it! All that's left now is to go to your NAS IP address followed by the port number that you have defined to access the user interface.

An example of the URL would be: http://10.100.10.12:80 or whatever port you have defined as a local port for container port 80 (80 would be usually registered as in use).

Now that you have your new BW self-hosted instance running, enjoy it and prepare to make it accessible via the internet using a valid SSL certificate, a custom domain name, and reverse proxy.

Bitwarden extension shortcuts

In case you do use BW a lot when it comes to logging in various sites (both local and remote) you might want to try and use BW keyboard shortcuts to help you in those tasks. Using the extension icon all the time can become tedious, so using your keyboard will come as second nature real quick.

There are four (4) main default shortcuts for browser extension:

Ctrl/CMD + Shift + Y → Activate extension
Ctrl/CMD + Shift + L → Autofill, press again to cycle through matching logins
Ctrl/CMD + Shift + 9 → Generate a password and copy it to the clipboard
Ctrl/CMD + Shift + N → Lock extension

So almost anything you want. One that activates the extension, locks it, as well as autofill the values, and finally generates a password, all under your fingertips.

There is also a benefit of using the shortcuts as for a password that uses TOTP for its 2FA (second-factor authentification) you can simply paste the value once you have invoked the autofill.

Using the Cmd/Ctrl + Shift + L will automatically copy your TOTP to your clipboard after auto-filling. All you have to do is Cmd/Ctrl + V to paste!

Now that's cool right there.