Update Podman documentation to use Quadlet for systemd deployment

[skyblaster]

Quadlet was integrated into Podman 4.4 and allows for a simplified systemd deployment (similar to docker-compose).
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html

I would have made this a PR instead of a discussion post, but since I haven't actually ran vaultwarden in production, I would like others to scrutinize the config and offer feedback first.

I've made both containers rootless by adding the following to /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=80

Here are the files:
~/.config/containers/systemd/vaultwarden/vaultwarden.container

[Unit]
Description=Vaultwarden Container

[Container]
Image=ghcr.io/dani-garcia/vaultwarden:latest
ContainerName=vaultwarden
HostName=vaultwarden
AutoUpdate=registry
Network=caddy-bridge.network
Volume=vaultwarden.volume:/data
#PublishPort=127.0.0.1:8080:80

[Install]
WantedBy=multi-user.target default.target

~/.config/containers/systemd/vaultwarden/vaultwarden.volume

[Volume]

~/.config/containers/systemd/networks/caddy-bridge.network

[Network]
DisableDNS=false
Internal=false

~/.config/containers/systemd/caddy/caddy.container

[Unit]
Description=Caddy Container

[Container]
Image=docker.io/library/caddy:latest
ContainerName=caddy
HostName=caddy
AutoUpdate=registry
Network=caddy-bridge.network
Volume=/etc/caddy/Caddyfile:/etc/caddy/Caddyfile
Volume=caddy-data.volume:/data
Volume=caddy-config.volume:/config
PublishPort=80:80
PublishPort=443:443

[Install]
WantedBy=multi-user.target

~/.config/containers/systemd/caddy/caddy-data.volume

[Volume]

~/.config/containers/systemd/caddy/caddy-config.volume

[Volume]

The following is a separate idea of mine. Not applicable to the documentation update.

Since I don't administer any legitimate domains, I'm using Caddy to self-sign .lan hosts.
The only issue is that you have to extract the cert and import it into all of your browsers.

EDIT: I've since registered a domain and won't be using the TLS internal setup. Too much hassle to manually import the certs into family devices. I'll leave the Caddyfile below as is, but it's not what I actually use.

/etc/caddy/Caddyfile

vault.containerhost.lan {
      tls internal

      encode gzip
      # The negotiation endpoint is also proxied to Rocket
      reverse_proxy /notifications/hub/negotiate vaultwarden:80
      # Notifications redirected to the websockets server
      #reverse_proxy /notifications/hub vaultwarden:3012
      # Send all other traffic to the regular Vaultwarden endpoint
      reverse_proxy vaultwarden:80
}

Also, the AutoUpdate feature does not currently work within a pod, otherwise I would have suggested creating a pod (containers/podman#20675)

[mo8it]

WantedBy=multi-user.target doesn't lead to starting the rootless container after a system reboot. I mentioned that in a note in my blog post about Quadlet:

I thought that setting WantedBy to multi-user.target would work because it is the default target on servers. But it doesn't work in the case of rootless containers.

multi-user.target is not defined in the user mode in systemd. You can verify this by running the command systemctl --user status multi-user.target. It is only defined in the system mode (systemctl status multi-user.target without --user).

Therefore, I would replace it with default.target.

I would recommend putting the files related to Vaultwarden in one directory. Quadlet supports reading files inside a directory in the search path. Therefore, I would put vaultwarden.container and vaultwarden.volume inside the directory ~/.config/containers/systemd/vaultwarden.

DisableDNS=flase and Internal=false are the defaults for a network. Therefore, these options can be removed.

I am not sure if a coupling to Caddy is a good idea. I for example use Traefik instead. Maybe we can keep it reverse-proxy-agnostic or explicitly mark Caddy as an example? For the second case, I could contribute a Traefik example.

Disclaimer: I didn't test these Quadlet files. I don't even host Vaultwarden (I really appreciate it, but I use KeePass). I just wanted to give some feedback 😇

[skyblaster]

Thanks so much for your response and sorry for the delay!

WantedBy=multi-user.target doesn't lead to starting the rootless container after a system reboot. I mentioned that in a note in my blog post about Quadlet:

I thought that setting WantedBy to multi-user.target would work because it is the default target on servers. But it doesn't work in the case of rootless containers.
multi-user.target is not defined in the user mode in systemd. You can verify this by running the command systemctl --user status multi-user.target. It is only defined in the system mode (systemctl status multi-user.target without --user).

Therefore, I would replace it with default.target.

Good point. Most examples I've seen include WantedBy=default.target multi-user.target to cover both rootful and rootless scenarios, so I'll update my example.

I would recommend putting the files related to Vaultwarden in one directory. Quadlet supports reading files inside a directory in the search path. Therefore, I would put vaultwarden.container and vaultwarden.volume inside the directory ~/.config/containers/systemd/vaultwarden.

That's a great idea. Thanks!

DisableDNS=false and Internal=false are the defaults for a network. Therefore, these options can be removed.

Noted. I was just taking the lead from a Red Hat Engineers blog and I don't think it hurts to leave them in.

I am not sure if a coupling to Caddy is a good idea. I for example use Traefik instead. Maybe we can keep it reverse-proxy-agnostic or explicitly mark Caddy as an example? For the second case, I could contribute a Traefik example.

Fair point. I suppose I was just trying to replicate the following example to a certain degree:
https://github.com/dani-garcia/vaultwarden/wiki/Using-Docker-Compose

Disclaimer: I didn't test these Quadlet files. I don't even host Vaultwarden (I really appreciate it, but I use KeePass). I just wanted to give some feedback 😇

[klaasb]

Thanks for the config examples above! I'm now running with only the following container file in .config/containers/systemd/vaultwarden/vaultwarden.container - no other volumes and re-using my existing proxy configs elsewhere for simplicity.

[Unit]
Description=Vaultwarden Container

[Container]
Image=docker.io/vaultwarden/server:latest
ContainerName=vaultwarden
HostName=vaultwarden
AutoUpdate=registry
EnvironmentFile=/home/vaultwarden/vaultwarden.env
Volume=/home/vaultwarden/data:/data
PublishPort=127.0.0.1:38000:80

[Install]
WantedBy=multi-user.target default.target

This also doesn't require setting net.ipv4.ip_unprivileged_port_start=80 - you'll just have to configure your proxy to forward to 38000 internally.

[tazihad]

I made one successfully. works for fedora 40.
mkdir -p ~/vaultwarden/data

~/.config/containers/systemd/vaultwarden.container

[Unit]
Description=Vaultwarden Container

[Container]
Image=docker.io/vaultwarden/server:latest
ContainerName=vaultwarden
HostName=vaultwarden
AutoUpdate=registry
EnvironmentFile=%h/vaultwarden/.env
Volume=%h/vaultwarden/data:/data:Z
Network=host

[Install]
WantedBy=multi-user.target default.target

~/vaultwarden/.env

ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$N3...
ROCKET_PORT=59000

[eriksjolund]

A side note regarding the use of Traefik and Caddy.
Traefik and Caddy support socket activation. To improve security, avoid using PublishPort= in Caddy container quadlets and Traefik container quadlets.

I started writing some examples
https://github.com/eriksjolund/podman-caddy-socket-activation
https://github.com/eriksjolund/podman-traefik-socket-activation

(Caddy has support for socket activation in https://github.com/caddyserver/caddy/releases/tag/v2.9.0-beta.3
Caddy 2.9.0 has not yet been released)