bitwarden · kaysond · Dec 14, 2025 · Dec 14, 2025 · Dec 20, 2025 · Dec 20, 2025
@@ -75,20 +75,14 @@ RUN apk add --no-cache \
     gcompat
 
 # Create required directories
-RUN mkdir -p \
-    /etc/bitwarden/attachments/send \
-    /etc/bitwarden/data-protection \
-    /etc/bitwarden/licenses \
-    /etc/bitwarden/logs \
-    /etc/supervisor \
-    /etc/supervisor.d \
-    /var/log/bitwarden \
-    /var/log/nginx/logs \
-    /etc/nginx/http.d \
-    /var/run/nginx \
-    /var/lib/nginx/tmp \
-    /app \
-    && touch /var/run/nginx/nginx.pid
+RUN mkdir -p /etc/bitwarden/attachments/send
+RUN mkdir -p /etc/bitwarden/data-protection
+RUN mkdir -p /etc/bitwarden/licenses
+RUN mkdir -p /etc/supervisor
+RUN mkdir -p /etc/supervisor.d
+RUN mkdir -p /app/Identity
+RUN mkdir -p /app/Sso
+RUN mkdir -p /app/Web
 
 # Copy compiled apps from server images
 WORKDIR /app
@@ -104,6 +98,11 @@ COPY --from=sso-app /app /app/Sso
 # Copy Web files from web-app stage
 COPY --from=web-app /app /app/Web
 
+# Create soft links for files generated in the entrypoint
+RUN ln -sf /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
+RUN ln -sf /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
+RUN ln -sf /etc/bitwarden/Web/app-id.json /app/Web/app-id.json
+
 # Set up supervisord
 COPY bitwarden-lite/supervisord/*.ini /etc/supervisor.d/
 COPY bitwarden-lite/supervisord/supervisord.conf /etc/supervisor/supervisord.conf
@@ -137,6 +136,7 @@ RUN chmod +x /usr/local/bin/hbs
 COPY bitwarden-lite/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
+EXPOSE 8080 8443
 VOLUME ["/etc/bitwarden"]
 
 WORKDIR /app

@@ -7,13 +7,19 @@ services:
     env_file:
       - settings.env
     image: ${REGISTRY:-ghcr.io/bitwarden}/lite:${TAG:-2026.5.0}
+    user: 999:999
+    tmpfs: /tmp:rw,noexec,nosuid,nodev,size=512m
+    read_only: true
+    security_opt:
+      - no-new-privileges
     restart: always
     ports:
       - "80:8080"
       - "443:8443"
     volumes:
+      # The user specified above must have permissions
+      # for the bind mount on the host
       - bitwarden:/etc/bitwarden
-      - logs:/var/log/bitwarden
 
   # MariaDB Example
   db:
@@ -51,5 +57,4 @@ services:
 
 volumes:
   bitwarden:
-  logs:
   data:
@@ -1,12 +1,14 @@
 #!/bin/sh
 
-# Set up user group
-PGID="${PGID:-1000}"
-addgroup -g $PGID bitwarden
+if [ "$(id -u)" = "0" ]; then
+  # Set up user group
+  PGID="${PGID:-911}"
+  addgroup -g "$PGID" bitwarden
 
-# Set up user
-PUID="${PUID:-1000}"
-adduser -D -H -u $PUID -G bitwarden bitwarden
+  # Set up user
+  PUID="${PUID:-911}"
+  adduser -D -H -u "$PUID" -G bitwarden bitwarden
+fi
 
 # Translate environment variables for application settings
 VAULT_SERVICE_URI=https://${BW_DOMAIN:-localhost}
@@ -18,23 +20,24 @@ INTERNAL_IDENTITY_KEY=$(openssl rand -hex 30)
 OIDC_IDENTITY_CLIENT_KEY=$(openssl rand -hex 30)
 DUO_AKEY=$(openssl rand -hex 30)
 
-export globalSettings__baseServiceUri__vault=${globalSettings__baseServiceUri__vault:-$VAULT_SERVICE_URI}
-export globalSettings__installation__id=$BW_INSTALLATION_ID
-export globalSettings__installation__key=$BW_INSTALLATION_KEY
-export globalSettings__internalIdentityKey=${globalSettings__internalIdentityKey:-$INTERNAL_IDENTITY_KEY}
-export globalSettings__oidcIdentityClientKey=${globalSettings__oidcIdentityClientKey:-$OIDC_IDENTITY_CLIENT_KEY}
-export globalSettings__duo__aKey=${globalSettings__duo__aKey:-$DUO_AKEY}
+export globalSettings__baseServiceUri__vault="${globalSettings__baseServiceUri__vault:-$VAULT_SERVICE_URI}"
+export globalSettings__installation__id="$BW_INSTALLATION_ID"
+export globalSettings__installation__key="$BW_INSTALLATION_KEY"
+export globalSettings__internalIdentityKey="${globalSettings__internalIdentityKey:-$INTERNAL_IDENTITY_KEY}"
+export globalSettings__oidcIdentityClientKey="${globalSettings__oidcIdentityClientKey:-$OIDC_IDENTITY_CLIENT_KEY}"
+export globalSettings__duo__aKey="${globalSettings__duo__aKey:-$DUO_AKEY}"
+export globalSettings__identityServer__certificatePassword="${globalSettings__identityServer__certificatePassword:-$IDENTITY_SERVER_CERTIFICATE_PASSWORD}"
 
-export globalSettings__databaseProvider=$BW_DB_PROVIDER
-export globalSettings__mysql__connectionString=${globalSettings__mysql__connectionString:-$MYSQL_CONNECTION_STRING}
-export globalSettings__postgreSql__connectionString=${globalSettings__postgreSql__connectionString:-$POSTGRESQL_CONNECTION_STRING}
-export globalSettings__sqlServer__connectionString=${globalSettings__sqlServer__connectionString:-$SQLSERVER_CONNECTION_STRING}
-export globalSettings__sqlite__connectionString=${globalSettings__sqlite__connectionString:-$SQLITE_CONNECTION_STRING}
+export globalSettings__databaseProvider="$BW_DB_PROVIDER"
+export globalSettings__mysql__connectionString="${globalSettings__mysql__connectionString:-$MYSQL_CONNECTION_STRING}"
+export globalSettings__postgreSql__connectionString="${globalSettings__postgreSql__connectionString:-$POSTGRESQL_CONNECTION_STRING}"
+export globalSettings__sqlServer__connectionString="${globalSettings__sqlServer__connectionString:-$SQLSERVER_CONNECTION_STRING}"
+export globalSettings__sqlite__connectionString="${globalSettings__sqlite__connectionString:-$SQLITE_CONNECTION_STRING}"
 
 if [ "$BW_ENABLE_SSL" = "true" ]; then
-  export globalSettings__baseServiceUri__internalVault=https://localhost:${BW_PORT_HTTPS:-8443}
+  export globalSettings__baseServiceUri__internalVault="https://localhost:${BW_PORT_HTTPS:-8443}"
 else
-  export globalSettings__baseServiceUri__internalVault=http://localhost:${BW_PORT_HTTP:-8080}
+  export globalSettings__baseServiceUri__internalVault="http://localhost:${BW_PORT_HTTP:-8080}"
 fi
 
 # Generate Identity certificate
@@ -49,33 +52,31 @@ if [ ! -f /etc/bitwarden/identity.pfx ]; then
   -subj "/CN=Bitwarden IdentityServer" \
   -days 36500
 
+  # identity.pfx is soft linked to the necessary locations in the Dockerfile
   openssl pkcs12 \
   -export \
   -out /etc/bitwarden/identity.pfx \
   -inkey /etc/bitwarden/identity.key \
   -in /etc/bitwarden/identity.crt \
-  -passout pass:$globalSettings__identityServer__certificatePassword
+  -passout "pass:$globalSettings__identityServer__certificatePassword"
 
   rm /etc/bitwarden/identity.crt
   rm /etc/bitwarden/identity.key
 fi
 
-cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
-cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
-
 # Generate SSL certificates
-if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
+if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/"${BW_SSL_KEY:-ssl.key}" ]; then
   TMP_OPENSSL_CONF="/tmp/openssl_san.cnf"
   cat /usr/lib/ssl/openssl.cnf > "$TMP_OPENSSL_CONF"
-  printf "\n[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true\n" >> "$TMP_OPENSSL_CONF"
+  printf "\n[SAN]\nsubjectAltName=DNS:%s\nbasicConstraints=CA:true\n" "${BW_DOMAIN:-localhost}" >> "$TMP_OPENSSL_CONF"
   openssl req \
   -x509 \
   -newkey rsa:4096 \
   -sha256 \
   -nodes \
   -days 36500 \
-  -keyout /etc/bitwarden/${BW_SSL_KEY:-ssl.key} \
-  -out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
+  -keyout /etc/bitwarden/"${BW_SSL_KEY:-ssl.key}" \
+  -out /etc/bitwarden/"${BW_SSL_CERT:-ssl.crt}" \
   -reqexts SAN \
   -extensions SAN \
   -config "$TMP_OPENSSL_CONF" \
@@ -95,31 +96,24 @@ fi
 # Launch a loop to rotate nginx logs on a daily basis
 /bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &"
 
-/usr/local/bin/hbs
-
-# Enable/Disable services
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_API}/" /etc/supervisor.d/api.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_EVENTS}/" /etc/supervisor.d/events.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ICONS}/" /etc/supervisor.d/icons.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_IDENTITY}/" /etc/supervisor.d/identity.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.d/notifications.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini
+# Create necessary directories
+mkdir -p /etc/bitwarden/logs/nginx
+mkdir -p /etc/bitwarden/logs/supervisord
+mkdir -p /etc/bitwarden/nginx
+mkdir -p /etc/bitwarden/Web
+mkdir -p /tmp/bitwarden
 
-chown -R $PUID:$PGID \
-    /app \
-    /etc/bitwarden \
-    /etc/nginx/http.d \
-    /etc/supervisor \
-    /etc/supervisor.d \
-    /var/lib/nginx \
-    /var/log \
-    /var/run/nginx \
-    /run
+/usr/local/bin/hbs
 
-if command -v su-exec >/dev/null 2>&1; then
-  exec su-exec $PUID:$PGID /usr/bin/supervisord
+if [ "$(id -u)" = "0" ]; then
+  find /etc/bitwarden -follow ! -type l \( ! -group "$PGID" -o ! -user "$PUID" \) -exec chown "${PUID}:${PGID}" {} +
+  exec su-exec "$PUID:$PGID" /usr/bin/supervisord
 else
+  FILES="$(find /etc/bitwarden -follow ! -type l \( ! -group "$(id -g)" -o ! -user "$(id -u)" \))"
+  if [ -n "$FILES" ]; then
+    echo "The following files are not owned by the running user and may cause errors:" >&2
+    echo "$FILES" >&2
+  fi
+
   exec /usr/bin/supervisord
 fi
@@ -2,6 +2,6 @@ helper_categories:
   - String
 templates:
   - src: /etc/hbs/app-id.hbs
-    dest: /app/Web/app-id.json
+    dest: /etc/bitwarden/Web/app-id.json
   - src: /etc/hbs/nginx-config.hbs
-    dest: /etc/nginx/http.d/bitwarden.conf
+    dest: /etc/bitwarden/nginx/bitwarden.conf
@@ -1,3 +1,6 @@
+# THIS FILE IS AUTOMATICALLY GENERATED BY BITWARDEN!
+# CHANGES WILL BE OVERWRITTEN ON CONTAINER STARTUP!
+
 server {
   listen {{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;
 {{#if (String.Equal env.BW_ENABLE_IPV6 "true")}}

@@ -4,12 +4,12 @@ while true
 do
   [ "$1" = "loop" ] && sleep $((24 * 3600 - (`date +%_H` * 3600 + `date +%_M` * 60 + `date +%_S`)))
   ts=$(date +%Y%m%d_%H%M%S)
-  mv /var/log/nginx/access.log /var/log/nginx/access.$ts.log
-  mv /var/log/nginx/error.log /var/log/nginx/error.$ts.log
-  kill -USR1 `cat /var/run/nginx/nginx.pid`
+  mv /etc/bitwarden/logs/nginx/access.log /etc/bitwarden/logs/nginx/access.$ts.log
+  mv /etc/bitwarden/logs/nginx/error.log /etc/bitwarden/logs/nginx/error.$ts.log
+  kill -USR1 `cat /tmp/bitwarden/nginx.pid`
   sleep 1
-  gzip /var/log/nginx/access.$ts.log
-  gzip /var/log/nginx/error.$ts.log
-  find /var/log/nginx/ -name "*.gz" -mtime +32 -delete
+  gzip /etc/bitwarden/logs/nginx/access.$ts.log
+  gzip /etc/bitwarden/logs/nginx/error.$ts.log
+  find /etc/bitwarden/logs/nginx/ -name "*.gz" -mtime +32 -delete
   [ "$1" != "loop" ] && break
 done
@@ -1,6 +1,13 @@
 # nginx Configuration File
 # http://wiki.nginx.org/Configuration
 
+# Default error log file
+# (this is only used when you don't override error_log on a server{} level)
+# This is placed at the top because the compiled-in log path (/var/lib/nginx/logs/error.log)
+# won't be writable in read-only containers. This ensures any errors during startup 
+# (e.g. configuration errors) will actually be written somewhere
+error_log  /etc/bitwarden/logs/nginx/error.log warn;
+
 daemon off;
 
 # Run as a less privileged user for security reasons.
@@ -26,15 +33,19 @@ events {
   worker_connections 8000;
 }
 
-# Default error log file
-# (this is only used when you don't override error_log on a server{} level)
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx/nginx.pid;
+pid        /tmp/bitwarden/nginx.pid;
 
 http {
   # Include proxy and server configuration.
   include /etc/nginx/proxy.conf;
-  include /etc/nginx/http.d/bitwarden.conf;
+  include /etc/bitwarden/nginx/bitwarden.conf;
+
+  # Use /tmp/bitwarden for nginx temp files
+  client_body_temp_path /tmp/bitwarden/nginx 1 2;
+  fastcgi_temp_path /tmp/bitwarden/nginx-fastcgi;
+  proxy_temp_path /tmp/bitwarden/nginx-proxy;
+  uwsgi_temp_path /tmp/bitwarden/nginx-uwsgi;
+  scgi_temp_path /tmp/bitwarden/nginx-scgi;
 
   # Hide nginx version information.
   server_tokens off;
@@ -62,7 +73,7 @@ http {
 
   # Default log file
   # (this is only used when you don't override access_log on a server{} level)
-  access_log /var/log/nginx/access.log main;
+  access_log /etc/bitwarden/logs/nginx/access.log main;
 
   # How long to allow each connection to stay idle; longer values are better
   # for each individual client, particularly for SSL, but means that worker

@@ -23,10 +23,6 @@ BW_INSTALLATION_KEY=xxxxxxxxxxxx
 #####################
 # Learn more here: https://bitwarden.com/help/environment-variables/
 
-# Container user ID/group ID
-#PUID=1000
-#PGID=1000
-
 # IPV6
 #BW_ENABLE_IPV6=true
 

@@ -1,12 +1,12 @@
 [program:admin]
-autostart=true
+autostart=%(ENV_BW_ENABLE_ADMIN)s
 autorestart=true
 command=/app/Admin/Admin
 directory=/app/Admin
 environment=ASPNETCORE_URLS="http://+:5000"
 priority=3
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/admin.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/admin.log
 stdout_logfile_maxbytes=10485760
 stdout_logfile_backups=5
@@ -1,12 +1,12 @@
 [program:api]
-autostart=true
+autostart=%(ENV_BW_ENABLE_API)s
 autorestart=true
 command=/app/Api/Api
 directory=/app/Api
 environment=ASPNETCORE_URLS="http://+:5001"
 priority=2
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/api.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/api.log
 stdout_logfile_maxbytes=10485760
 stdout_logfile_backups=5
@@ -1,12 +1,12 @@
 [program:events]
-autostart=true
+autostart=%(ENV_BW_ENABLE_EVENTS)s
 autorestart=true
 command=/app/Events/Events
 directory=/app/Events
 environment=ASPNETCORE_URLS="http://+:5003"
 priority=3
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/events.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/events.log
 stdout_logfile_maxbytes=10485760
 stdout_logfile_backups=5
@@ -1,12 +1,12 @@
 [program:icons]
-autostart=true
+autostart=%(ENV_BW_ENABLE_ICONS)s
 autorestart=true
 command=/app/Icons/Icons
 directory=/app/Icons
 environment=ASPNETCORE_URLS="http://+:5004"
 priority=3
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/icons.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/icons.log
 stdout_logfile_maxbytes=10485760
 stdout_logfile_backups=5
@@ -1,12 +1,12 @@
 [program:identity]
-autostart=true
+autostart=%(ENV_BW_ENABLE_IDENTITY)s
 autorestart=true
 command=/app/Identity/Identity
 directory=/app/Identity
 environment=ASPNETCORE_URLS="http://+:5005"
 priority=1
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/identity.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/identity.log
 stdout_logfile_maxbytes=10485760
 stdout_logfile_backups=5