Same, although in the end I figured I'll give BitWarden my money, as it's more than cheap enough.

My own "justification" is that while self-hosted is my main personal store, I maintain a paid but empty account with Bitwarden. Said empty account on their servers is to be the emergency access person for family members' personal official vaults. So, they get some money for a license out of me, without the server usage.

Ah nice, that's a good solution.

I subscribed for two reasons: 1. To support their efforts and 2. They accept Bitcoin (and of course I paid with Bitcoin although the whole payment processing was garbage).

Bitcoin really isn't that anonymous

The parent didn't say they use Bitcoin for that feature though?

Similar here... I also trust them to maintain their service slightly better than I trust myself to do so. I like supporting the project in general as well.

Same here too for personal/family vaults. Have been using the bitwarden cloud offering in professional context too.

vaultwarden, or bitwarden-rs as it used to be called, have been working flawlessly for years on my side, updates always work just as expected, and it supports a lot of organizational features too.

But I felt like it was better to trust bitwarden’s cloud for professional stuff, just for the reliability.

I did too, and liked it until it taught me a valuable lesson about self hosting things. I started using the project while it was still called bitwarden-rs. Apparently they were told to rename by Bitwarden (understandable).

My setup was based on their Docker images, and thinking it was the safest option I had set up Watchtower to automatically update to the latest image nightly to get the latest security patches. But then I discovered that the bitwarden-rs image had not been updated for _months_ because of the rename.

So basically I was hosting my whole password database in this, and I had suddenly lost security updates without realizing.

Btw, I'm not blaming neither Vaultwarden or Bitwarden. But if you're going to self-host something this security critical, just be sure that you definitely monitor it _manually_ to make sure you're not on some unpatched vulnerable version some months down the line.

Please be careful with Watchtower. Its update functionally can not (by design) separate your ENV settings and the ones from the new container.

E.g. you deploy with DATABASE_URL=x

This becomes DATABASE_URL=x PYTHON=3.0.0

You did not set the Python one, the image did via ENV.

Now a new version comes out with PYTHON=3.1.0.

Watchtower doesn't know which ENVs you set and which ones came from the container as docker inspect exposes them in the same way.

So now Watchtower deploys the new version (which only has Python 3.1.0) with DATABASE_URL=x PYTHON=3.0.0.

And stuff stops working.

I use an ansible playbook which maintains the only ENV vars that need to survive an update.

I've seen watchtower burn so many people...

Better to put everything in git and run your own renovate bot which will create PRs for you to review and also pull in the changelogs to the PR itself so you can check for breaking changes.

Just set Watchtower to quit after run and run it manually when convenient. This way, you’ll instantly know if some update went wrong and can fix it.

Do you have an example online? Always interested to see different approaches.

Same, its become invaluable for me.

+ I really enjoy this era of self-hosted tools.

Same, it’s been great honestly.