|
|
|
|
|
|
by kivle
668 days ago
|
|
|
I did too, and liked it until it taught me a valuable lesson about self hosting things. I started using the project while it was still called bitwarden-rs. Apparently they were told to rename by Bitwarden (understandable). My setup was based on their Docker images, and thinking it was the safest option I had set up Watchtower to automatically update to the latest image nightly to get the latest security patches. But then I discovered that the bitwarden-rs image had not been updated for _months_ because of the rename. So basically I was hosting my whole password database in this, and I had suddenly lost security updates without realizing. Btw, I'm not blaming neither Vaultwarden or Bitwarden. But if you're going to self-host something this security critical, just be sure that you definitely monitor it _manually_ to make sure you're not on some unpatched vulnerable version some months down the line. |
|
|
E.g. you deploy with DATABASE_URL=x
This becomes DATABASE_URL=x PYTHON=3.0.0
You did not set the Python one, the image did via ENV.
Now a new version comes out with PYTHON=3.1.0.
Watchtower doesn't know which ENVs you set and which ones came from the container as docker inspect exposes them in the same way.
So now Watchtower deploys the new version (which only has Python 3.1.0) with DATABASE_URL=x PYTHON=3.0.0.
And stuff stops working.
I use an ansible playbook which maintains the only ENV vars that need to survive an update.