2 files changed, 48 insertions, 0 deletions

diff --git a/infrastructure/roles/vaultwarden/Caddyfile b/infrastructure/roles/vaultwarden/Caddyfile
new file mode 100644
index 0000000..695c862
--- /dev/null
+++ b/infrastructure/roles/vaultwarden/Caddyfile
@@ -0,0 +1,40 @@
+{
+	auto_https disable_redirects
+	skip_install_trust
+}
+
+https://localhost:8443 {
+	root .
+
+	handle_path /api/* {
+		rewrite * /vaultwarden/api{path}
+		reverse_proxy https://ñix.es
+	}
+
+	handle_path /identity/* {
+		rewrite * /vaultwarden/identity{path}
+		reverse_proxy https://ñix.es
+	}
+
+	handle_path /icons/* {
+		rewrite * /vaultwarden/icons{path}
+		reverse_proxy https://ñix.es
+	}
+
+	handle_path /events/* {
+		rewrite * /vaultwarden/events{path}
+		reverse_proxy https://ñix.es
+	}
+
+	handle_path /notifications/* {
+		rewrite * /vaultwarden/notifications{path}
+		reverse_proxy https://ñix.es
+	}
+
+	handle_path /css/vaultwarden.css {
+		rewrite * /vaultwarden/css/vaultwarden.css
+		reverse_proxy https://ñix.es
+	}
+
+	file_server
+}
diff --git a/infrastructure/roles/vaultwarden/README.md b/infrastructure/roles/vaultwarden/README.md
index 05c7fc2..26e94dc 100644
--- a/infrastructure/roles/vaultwarden/README.md
+++ b/infrastructure/roles/vaultwarden/README.md
@@ -28,3 +28,11 @@ Therefore, we recommend changing the master password *before* entering any sensi
 
 To share secrets among members, organizations should be created from an account without personal data.
 
+### Running a local web vault
+
+Alternatively, you can run the web vault locally to ensure no one has tampered with the web vault.
+
+1. Download and extract the archive from [the Vaultwarden web vault builds](https://github.com/dani-garcia/bw_web_builds/releases/latest).
+1. Copy the [`Caddyfile`](Caddyfile) into the `web-vault` directory.
+1. Run `caddy run`.
+1. Access your vault at <https://localhost:8443>.