Skip to main content
Christian Lempa

Self hosted, open source password manager built for teams!

Table of Contents

In this Tutorial we set up a free and open-source password manager for your home labs, or professional it teams, such as DevOps, sysadmins, and so on. We will deploy Passbolt on a docker server and configure a mail server and trusted SSL certificates by using Traefik and Letsencrypt.

Install Passbolt in Docker
#

Create a new project directory, and a new compose.yaml file.

---
services:
  db:
    image: library/mariadb:10.3
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE="passbolt"
      - MYSQL_USER="passbolt"
      - MYSQL_PASSWORD="P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql
    restart: unless-stopped
  passbolt:
    image: passbolt/passbolt:latest-ce
    depends_on:
      - db
    ports:
      - "80:80"
      - "443:443"
    environment:
      - APP_FULL_BASE_URL=https://passbolt.home.arpa
      - DATASOURCES_DEFAULT_HOST=db
      - DATASOURCES_DEFAULT_USERNAME="passbolt"
      - DATASOURCES_DEFAULT_PASSWORD="P4ssb0lt"
      - DATASOURCES_DEFAULT_DATABASE="passbolt"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    restart: unless-stopped
volumes:
  database_volume:
  gpg_volume:
  jwt_volume:
  • Make sure replace the URL at the APP_FULL_BASE_URL.
  • Change the MYSQL_*, and DATASOURCES_DEFAULT_* environment variables.
  • (optional) Add the credentials to a .env file.

Configure a mail server
#

Add the following environment variables to your compose.yaml file.

    environment:
      - EMAIL_TRANSPORT_DEFAULT_HOST=your-mail-server
      - EMAIL_TRANSPORT_DEFAULT_PORT=587
      - EMAIL_TRANSPORT_DEFAULT_USERNAME=$EMAIL_TRANSPORT_DEFAULT_USERNAME
      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=$EMAIL_TRANSPORT_DEFAULT_PASSWORD
      - EMAIL_TRANSPORT_DEFAULT_TLS=true
      - EMAIL_DEFAULT_FROM=no-reply@home.arpa
  • Replace the variables with your email server config.
  • (optional) Add the credentials to a .env file.

Trusted SSL Certs with Traefik
#

If you’re using Traefik, you can remove the ports: section from your compose.yaml file and add the following labels to your compose.yaml file.

    labels:
      - traefik.enable=true
      - traefik.http.services.passbolt.loadbalancer.server.port=80
      - traefik.http.routers.passbolt.entrypoints=websecure
      - traefik.http.routers.passbolt.rule=Host(`passbolt.home.arpa`)
      - traefik.http.routers.passbolt.tls=true
      - traefik.http.routers.passbolt.tls.certresolver=cloudflare
      - traefik.http.routers.passbolt.service=passbolt

Set up your first admin account
#

docker compose exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
  passbolt register_user \
    -u YOUR_EMAIL \
    -f YOUR_NAME \
    -l YOUR_LASTNAME \
    -r admin" -s /bin/sh www-data

Log in via one of the supported Browsers, by accessing the https://passbolt.home.arpa URL.

Congratulations, you’re now ready to use Passbolt!

Christian Lempa
Author
Christian Lempa
IT & Tech Nerd | DevOps and Automation FanBoy