Bitwarden Lite — Self-Hosted on Opalstack
Deploy the official Bitwarden Lite server as a single container on Opalstack using rootless Podman. Bitwarden Lite was nominated instead of the standard version to accommodate for shared hosting environments.
Please note that this only works on our new Almalinux 9 servers. You can migrate today! Email support for assistance 🙂
If one wants to avoid issuing an official installation ID and KEY, then a good alternative may be something like vaultwarden, which may also be viable for older Centos servers. But that is outside the scope of this guide.
1. Control Panel Setup
- Create a NGINX Proxy Port app and note the assigned port.
- Attach the app to a site with your domain and a Let's Encrypt certificate.
- Get your installation ID and key from https://bitwarden.com/host/.
2. Create Directory and Config
mkdir -p ~/apps/<app_name>/bwdata
Create ~/apps/<app_name>/settings.env with your values:
cat > ~/apps/<app_name>/settings.env <<'EOF'
BW_DOMAIN=vault.yourdomain.com
BW_DB_PROVIDER=sqlite
BW_INSTALLATION_ID=<id>
BW_INSTALLATION_KEY=<key>
BW_ENABLE_SSL=false
BW_PORT_HTTP=<PORT>
PUID=<your uid>
PGID=<your gid>
EOF
Get your UID and GID with:
id -u && id -g
3. Pull and Run
podman run -d \
--name bitwarden \
-v ~/apps/<app_name>/bwdata:/etc/bitwarden:Z \
-p 127.0.0.1:<PORT>:<PORT> \
--env-file ~/apps/<app_name>/settings.env \
ghcr.io/bitwarden/lite:latest
4. Persist Across Reboots
(crontab -l 2>/dev/null; echo "@reboot podman start bitwarden") | crontab -
5. Verify
podman logs bitwarden
curl -I http://127.0.0.1:<PORT>/
You should see all services in RUNNING state in the logs and an HTTP/1.1 200 OK from curl. Visit https://vault.yourdomain.com in a browser to confirm.
6. Disable Public Registration
Create your account first, then add the following line to settings.env:
globalSettings__disableUserRegistration=true
Recreate the container to apply:
podman stop bitwarden && podman rm bitwarden
podman run -d \
--name bitwarden \
-v ~/apps/<app_name>/bwdata:/etc/bitwarden:Z \
-p 127.0.0.1:<PORT>:<PORT> \
--env-file ~/apps/<app_name>/settings.env \
ghcr.io/bitwarden/lite:latest
Note: The signup page will still be visible — this is normal. The server blocks the registration at the API level.
7. SMTP (Optional)
SMTP is not required for core vault functionality. Add it later if you need email verification, email-based 2FA, organization invites, or password hint emails.
Add these lines to settings.env:
globalSettings__mail__replyToEmail=no-reply@yourdomain.com
globalSettings__mail__smtp__host=<smtp-host>
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false
globalSettings__mail__smtp__username=<smtp-user>
globalSettings__mail__smtp__password=<smtp-pass>
Then perform the stop/rm/run commands from step 6 again to apply.
Updating
podman pull ghcr.io/bitwarden/lite:latest
podman stop bitwarden && podman rm bitwarden
podman run -d \
--name bitwarden \
-v ~/apps/<app_name>/bwdata:/etc/bitwarden:Z \
-p 127.0.0.1:<PORT>:<PORT> \
--env-file ~/apps/<app_name>/settings.env \
ghcr.io/bitwarden/lite:latest
Data persists in bwdata/ — the SQLite database and all configuration survive container recreation.
Editing Config Files
settings.env is owned by the shell user. Edit it normally with vim or nano.
Files inside bwdata/ are written by the container with remapped UIDs. To edit those:
# Edit from inside the running container
podman exec -it bitwarden bash
# Or use podman unshare on the host
podman unshare vi ~/apps/<app_name>/bwdata/<file>
We hope this is useful!
