Template for deploying Vaultwarden on Fly.io
This is a template for deploying Vaultwarden on Fly.io with Caddy for websockets support and supercronic for hourly restic backups with e-mail failure notification via msmtp.
This uses a single fly machine, within Fly's free allowance.
You first need to create a new repo for your config, by clicking on the Use this template button on this page.
Then, clone your new repo and cd
into it.
-
Install go-task:
We use go-task to automate some steps, you can check the task code under .taskfiles. to see which commands each task run.
brew install go-task/tap/go-task
-
Install flyctl:
brew install flyctl
The .config.env
file contains environment variables needed to deploy
the apps in this template.
- Copy the
.config.sample.env
to.config.env
and fill out all the environment variables. All uncommented variables are required.
Fly.io setup
For some commands below, we use a task instead of flyctl
because we
the task writes (on app creation) and reads (subsequent commands) your
app name from the config file. This is the only way to keep your app
name hidden.
-
Signup to Fly
If you already have a Fly account, use
flyctl auth login
instead.flyctl auth signup
-
Create a new fly app
If this is your first app, you'll be asked to add credit card information, but, don't worry, you'll not be charged by this app.
task fly:app:create
-
Create a new volume
This will show you a warning about invididual volumes. It's ok to have a single volume because we're not concerned about downtime for our Vaultwarden instance.
task fly:volume:create
-
Deploy your app
task fly:app:deploy
-
Setup your custom domain
After your app is deployed, follow the steps here to setup your custom domain.
-
Open your new Vaultwarden website
That's all! Now you can open your custom domain and Vaultwarden should work.
This template uses Renovatebot to scan and open new PRs when dependencies are out of date.
To enable this, open their Github app page, click the "Configure" button, then choose your repo. The template already provides Renovate configs and there's no need for further action.
If your deployment failed or you can't open Vaultwarden web, you can see the logs with:
task fly:app:logs
If that command fails (eg, if the machine is stopped), try opening your logs in the browser:
task fly:app:logs:web
You can also ssh in the machine with:
task fly:app:ssh
and check individual logs using overmind:
# Run this command inside your fly machine
overmind connect vaultwarden
This will open a tmux window with vaultwarden logs.
You can scroll your tmux window with Ctrl-B-]
and use
Ctrl-B-D
to exit the tmux window.
Substitute vaultwarden
with caddy
, or backup
to see logs for
other apps.
After your first manual deploy to Fly.io, per instructions above, you can setup continuous deployment via Github Actions.
-
Install Github CLI
brew install gh
-
Login to Github
gh auth login
-
Set Fly secrets to your Github repo
task github:secrets:set
-
Test your workflow deployment
task github:workflow:deploy
That's all! Now, any changes to your Dockerfile
, fly.toml
or
scripts
/config
will trigger a fly deploy.
-
Why every
fly
command I run errors with:Error: the config for your app is missing an app name
?For security reasons the app name is not sdaved in the fly.toml file. In that case, you have to add
-a your-app-name
to allfly
commands.Your app name is found in your
.config.env
file.Example:
fly secrets list -a your-app-name
Or you can add:
app = "your-app-name"
to the beginning of your fly.toml file.
-
How do I update the environment variables?
After updating the
.config.env
file, you can update your environment variables in two different ways:task fly:secrets:set
will read your
.config.env
file and import every defined variable to your fly app, Or you can just do a new deployment:task fly:app:deploy
which will run the command above and do a new deployment afterwards.