Setup Vaultwarden with Docker Secrets either with PG* Variables or in DATABASE URL not working in my example

[flomickl]

Hi all,

According to the description on how to set up Postgres with vaultwarden https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backend
it is mentioned:

You can either add the connection parameter to DATABASE_URL or specify it via its corresponding PG* environment variable.

The PG* Variables are listed here: https://www.postgresql.org/docs/current/libpq-envars.html

I am using docker secrets and try to pass the password either to the DATABASE_URL string or set them as PG Variables.
Both ways are not working and maybe someone can help out.
What I am doing wrong with thePG* Variables and or how to use the secret in the DATABASE_URL ?

In my example, I am using the following variables in my docker-compose environment part:

PGHOST: "bitwarden-db"
PGDATABASE: ${BITWARDEN_DB_NAME}
PGUSER: ${BITWARDEN_DB_USER}
PGPASSFILE: /run/secrets/bitwarden_postgres_password

or easier

PGHOST: "bitwarden-db"
PGDATABASE: "vaultwarden"
PGUSER: "vaultwarden"
PGPASSFILE: /run/secrets/bitwarden_postgres_password

If I start this setup, the SQLite files are created in the data folder, so the Postgres db is not used.

db.sqlite3
db.sqlite3-shm
db.sqlite3-wal

If I try to set the DATABASE_URL the following way
DATABASE_URL: postgresql://$PGUSER:$PGPASSFILE@$PGHOST:5432/$PGDATABASE

I get following message during docker-compose up

WARN[0000] The "PGUSER" variable is not set. Defaulting to a blank string.
WARN[0000] The "PGPASSFILE" variable is not set. Defaulting to a blank string.
WARN[0000] The "PGHOST" variable is not set. Defaulting to a blank string.
WARN[0000] The "PGDATABASE" variable is not set. Defaulting to a blank string.

and clearly the message:

bitwarden | [2023-10-21 23:42:13.777][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon.
bitwarden | [CAUSE] BadConnection(
bitwarden | "connection to server at \"bitwarden-db\" (172.18.0.2), port 5432 failed: fe_sendauth: no password supplied\n",
bitwarden | )

If I replace the password with the plain password, everything is starting up

DATABASE_URL: postgresql://$PGUSER:<PLAIN_PASSWORD>:5432/$PGDATABASE

But I don't want to post the plain password in my compose setup.

version: '3'

services:
    bitwarden-db:
      image: ${BITWARDEN_POSTGRES_IMAGE_TAG}
      container_name: bitwarden-db
      restart: unless-stopped
      volumes:
        - /etc/localtime:/etc/localtime:ro
        - /etc/timezone:/etc/timezone:ro
        - ./data/postgres:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: ${BITWARDEN_DB_NAME}
        POSTGRES_USER: ${BITWARDEN_DB_USER}
        POSTGRES_PASSWORD_FILE: /run/secrets/bitwarden_postgres_password
      healthcheck:
        test: [ "CMD", "pg_isready", "-q", "-d", "${BITWARDEN_DB_USER}", "-U", "${BITWARDEN_DB_USER}" ]
        interval: 10s
        timeout: 5s
        retries: 3
        start_period: 60s
      secrets:
        - bitwarden_postgres_password
      networks:
        - bitwarden-network

    bitwarden:
      image: ${BITWARDEN_IMAGE}
      restart: unless-stopped
      container_name: bitwarden
      volumes:
         - ./data/bitwarden:/data
         - /etc/localtime:/etc/localtime:ro
      user: 1000:1000
      depends_on:
        bitwarden-db:
          condition: service_healthy
      environment:
        PGHOST: "bitwarden-db"
        PGDATABASE: ${BITWARDEN_DB_NAME}
        PGUSER: ${BITWARDEN_DB_USER}
        PGPASSFILE: /run/secrets/bitwarden_postgres_password
        #DATABASE_URL: postgresql://$PGUSER:$PGPASSFILE@$PGHOST:5432/$PGDATABASE
        DATABASE_URL: postgresql://$PGUSER:<PLAIN_PASSWORD>@$PGHOST:5432/$PGDATABASE
        WEBSOCKET_ENABLED: 'false' # Required to use websockets
        SIGNUPS_ALLOWED: 'false'   # set to false to disable signups
        SHOW_PASSWORD_HINT: 'false'
        USE_SYSLOG: 'true'
        EXTENDED_LOGGING: 'true'
        LOG_LEVEL: 'debug'
      secrets:
        - bitwarden_postgres_password
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.bitwarden.rule=Host(`XXXXXX`)"
        - "traefik.http.routers.bitwarden.tls=true"
        - "traefik.http.routers.bitwarden.tls.certresolver=letsencrypt"
        - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
        - "traefik.docker.network=traefik-servicenet"
      networks:
        - traefik-servicenet
        - bitwarden-network

networks:
  traefik-servicenet:
    external: true
  bitwarden-network:
    internal: true

secrets:
  bitwarden_postgres_password:
    file: ./pass/postgres_password.txt # put postgresql password to this file

my .env

# postgres
BITWARDEN_POSTGRES_IMAGE_TAG=postgres:16-alpine
BITWARDEN_DB_NAME=vaultwarden
BITWARDEN_DB_USER=vaultwarden
#vaultwarden
BITWARDEN_IMAGE=vaultwarden/server:latest

I am using
Docker version 24.0.6, build ed223bc
and
Docker Compose version v2.20.3

[0rdvm]

I have exactly the same problem, I don't want to use the text variant of the password, and I want to use the secret.
Since I'm a newbie, but aren't PG* variables required to be used in the Postgresql designation area?
Instead of POSTGRES_PASSWORD_FILE?

[rahul-home-lab]

Any help on this guys, I am also facing this problem

[BlackDex]

Create a DATABASE_URL string which includes the password and full URL as described in the .env.template or the wiki.
Then put that in a secret which gets outputed as a file within the container, and then set DATABASE_URL_FILE to point to that file.

All ENV variables support appending _FILE to point to a file to use secrets.

[andreasntr]

can we document this? it is really difficult for newcomers to understand vaultwarden envs

[BlackDex]

https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#loading-individual-values-from-files

[andreasntr]

thnk you, it truly slipped while scrolling the page. Maybe using a bigger header or adding it to the lateral bullet point list would make it more visibile