Now, sure, you could use something like KeePass and keep it local to your machine. That works great if you’re mostly tied to one device. But if you’re like me—always bouncing between machines, phones, and maybe even the occasional tablet, you’ll probably want something a little more accessible.

That’s where Vaultwarden comes in. It’s a lightweight, self-hosted fork of Bitwarden, the open-source password manager. With Vaultwarden, you get to use the official Bitwarden mobile apps and browser extensions, but with a leaner backend that’s easier to run on your own server. It’s fast, minimal, and you keep control of your own data.

The Setup

You’ll need a few things before we get started:

• A server with Docker installed
• The Apache web server
• A domain name
• An SSL certificate (we’ll use Let’s Encrypt)
• Port 443 open on your firewall (or another port if you’re using a custom setup)

If you’re already running services on your host’s port 443 like I am, you can remap Vaultwarden’s container to a different internal port and let Apache handle the HTTPS proxying.

Apache

Once you’ve got Docker, Apache, and your domain ready, it’s time to configure your reverse proxy.

Create a new config file for Vaultwarden at /etc/apache2/sites-available/vaultwarden.conf. Here is a template you can use for your setup.

<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName your_domain
    Redirect permanent / https://your_domain/
</VirtualHost>

<VirtualHost *:443>
    ServerName your_domain

    SSLEngine on
    SSLProxyEngine on

    SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem

    ProxyPreserveHost On
    ProxyRequests Off

    ProxyPass / http://127.0.0.1:8443/
    ProxyPassReverse / http://127.0.0.1:8443/

    # WebSocket support
    RewriteEngine On
    RewriteCond %{HTTP:UPGRADE} ^(.*)$ [NC]
    RewriteCond %{HTTP:CONNECTION} ^(.*Upgrade.*)$ [NC]
    RewriteRule ^/?(.*) "ws://127.0.0.1:8443/$1" [P,L]

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ErrorLog ${APACHE_LOG_DIR}/vaultwarden-error.log
    CustomLog ${APACHE_LOG_DIR}/vaultwarden-access.log combined
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName your_domain
    Redirect permanent / https://your_domain/
</VirtualHost>

<VirtualHost *:443>
    ServerName your_domain

    SSLEngine on
    SSLProxyEngine on

    SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem

    ProxyPreserveHost On
    ProxyRequests Off

    ProxyPass / http://127.0.0.1:8443/
    ProxyPassReverse / http://127.0.0.1:8443/

    # WebSocket support
    RewriteEngine On
    RewriteCond %{HTTP:UPGRADE} ^(.*)$ [NC]
    RewriteCond %{HTTP:CONNECTION} ^(.*Upgrade.*)$ [NC]
    RewriteRule ^/?(.*) "ws://127.0.0.1:8443/$1" [P,L]

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ErrorLog ${APACHE_LOG_DIR}/vaultwarden-error.log
    CustomLog ${APACHE_LOG_DIR}/vaultwarden-access.log combined
</VirtualHost>
</IfModule>

Then enable the required Apache modules:

• a2enmod proxy
• a2enmod proxy_http
• a2enmod proxy_wstunnel
• a2enmod ssl
• a2enmod rewrite

Now all you should need to do is enable your site and restart apache.

Docker

Next all you need to do is to setup the docker container. Below is a template for the command to set it up. Once it’s running, visit https://your_domain in your browser. You should be greeted with the account creation screen. Go ahead and register your account. After that, be sure to disable public signups by either updating the container or setting SIGNUPS_ALLOWED=false in your Docker environment.

sudo docker run -d   --name vaultwarden   -v /vw-data:/data   -p 8443:80   -e WEBSOCKET_ENABLED=true   -e SIGNUPS_ALLOWED=true   -e DOMAIN=https://your_domain   vaultwarden/server:latest

sudo docker run -d   --name vaultwarden   -v /vw-data:/data   -p 8443:80   -e WEBSOCKET_ENABLED=true   -e SIGNUPS_ALLOWED=true   -e DOMAIN=https://your_domain   vaultwarden/server:latest

Email Setup (optional)

If you want features like password reset links for other accounts on your server, account verification emails, admin invites, and emergency access notifications, you’ll want to hook up SMTP.

Here’s how to do it with a Gmail account (you’ll need to generate an App Password):

-e SMTP_HOST=smtp.gmail.com
-e SMTP_FROM=your_account@gmail.com
-e SMTP_PORT=587
-e SMTP_USERNAME=your_account@gmail.com
-e SMTP_PASSWORD=your_gmail_app_password
-e SMTP_SECURITY=starttls

-e SMTP_HOST=smtp.gmail.com
-e SMTP_FROM=your_account@gmail.com
-e SMTP_PORT=587
-e SMTP_USERNAME=your_account@gmail.com
-e SMTP_PASSWORD=your_gmail_app_password
-e SMTP_SECURITY=starttls

Add those to your docker run command or define them in a .env file if you’re using docker-compose.

Once email is working, you’ll be able to:

• Send password reset links to other users on your server
• Verify email addresses
• Invite users to your instance
• Get alerts for emergency access requests

It’s a small step that adds a ton of functionality.

Enjoy Being Secure

And that’s it. You’ve got a secure, open-source, cloud-accessible password manager running on your own terms, with all the modern comforts like mobile and browser integration. No monthly fees. No trusting a third-party service with your credentials. Just you, your server, and full control over your security.

Welcome to the self-hosted club.

I love that reading is free, you can do it anywhere. You can do it on the train… uh, don’t do it while you’re driving

– James Pumphrey

When I was younger I used to avidly enjoy reading in my free time. From adventures in a galaxy far, far away (shoutout Karen Traviss), to the neo-Greek mythology of the Percy Jackson series, I tore through books like it was my job. However, as I’ve gotten older that’s no longer the case. Between work and school, most of my reading now consists of dry technical manuals, textbooks, and reviews for whatever power tool I want to buy next.

So the goal of this project is to make whatever book I’m reading:

1. Easily accessible
2. Simple to pick up right where I left off
3. Replaceable when I’m ready to crack open the next one

Join me as we Make Reading Great Again so I have no excuse not to be well-read.

Picking a Platform

Obviously, the first thing I could do to achieve this goal would be to open up my wallet and head to the nearest app store to get an e-reader service like Bezos’s Kindle or Google’s Shelf and start building a digital library that I don’t really own. But the easy way has some huge red flags. For example, say they lose the licensing or worse, 1984 comes to pass and certain books get banned and poof, there goes my book and my money.

Also, if you’ve read any of my posts so far you’re probably aware that I’m definitely a DIY kind of guy, and like with most things I’m going to do it myself.

So what are the options for self-hosting this kind of service? As you can tell from the title, I went with Kavita for its multi-user support, anywhere access, and mainly because I liked the UI the most. But there are other great options I stumbled upon that might suit your needs better:

• Calibre for its wider format support and plugins.
• Komga if your main focus is comics and manga.
• Polar Bookshelf if you just want to install a Snap package and enjoy books locally.

The Set Up

For this setup I’ll be using Kavita’s Docker image. There are plenty of ways to set it up, but for that I’ll refer you to their instructional page here: https://wiki.kavitareader.com/getting-started/.

I like using Portainer to set up and manage my Docker containers since it’s simple and easy. Remember to create your volume first, set your port mapping to 5000, and set the network adapter to bridge before pulling and creating the container.

Once it’s up and running you’re good to go to http://your-server-ip:5000, and you should be greeted with a simple sign-in screen to create your admin account. After you create your account and log in, the last thing is to load up something to read and create your libraries. Kavita supports formats like PDF, EPUB, and a variety of comic/manga formats.

To make this all work you’ll need to create a folder and place each file in that folder. For example, my copy of Pride and Prejudice from epubbooks.com is mounted like this:

/storage/books/'Pride and Prejudice (Illustrated)'/austen-pride-and-prejudice-illustrations.epub

Now that you have your books loaded up, create a library by clicking on the gear icon in the top left, navigating to the Libraries tab under Server, and clicking on the Add Library button. In the popup, give it a name and point it to the folder you mounted with your media. I decided to split my libraries into books, comics, and manga.

Mr. Worldwide

You can stop here if you only want access to your e-library locally, but I decided to take it a step further. To access the library securely from anywhere in the world, I created a domain name with NO-IP, used Certbot to generate some SSL certificates, and created and enabled my .conf file.

That’s right, eriks-library (e-library for short) can now be accessed anywhere with an internet connection.

If you want to do this too, there are more detailed instructions in Kavita’s setup guide I linked earlier. Or if you’re using Apache2, you can copy, edit, and enable the slightly trimmed-down config file I made for the reverse proxy:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName your.domain.com

    SSLEngine on
    SSLProxyEngine on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # Use Let's Encrypt certificate paths
    SSLCertificateFile /etc/letsencrypt/live/your.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your.domain.com/privkey.pem

    ErrorLog ${APACHE_LOG_DIR}/proxy-error.log
    CustomLog ${APACHE_LOG_DIR}/proxy-access.log combined

    ProxyPass / http://SERVER_IP_ADDR:5000/
    ProxyPassReverse / http://SERVER_IP_ADDR:5000/

    ProxyPreserveHost On
    ProxyRequests Off

    # WebSocket support
    RewriteEngine On
    RewriteCond %{HTTP:UPGRADE} ^.*WebSocket.*$ [NC]
    RewriteCond %{HTTP:CONNECTION} ^.*Upgrade.*$ [NC]
    RewriteRule .* ws://SERVER_IP_ADDR:5000%{REQUEST_URI} [P]

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}e"
</VirtualHost>
</IfModule>

On the Go

The last step was figuring out how I’m going to access and enjoy my library from my phone. Currently, there’s only a third-party app called Kavita Blue, but when I tried it, it kept freezing and ruined the UI I like. So I just opened up Chrome on my phone, navigated to my domain, and set it up as a web app on my home screen. Sure, I could have paid for a Kindle subscription, but where’s the fun in that? Besides, now I get to say my library runs on Docker and that sounds way cooler at parties anyways.