Skip to Content

Self-host Vaultwarden on redu

Vaultwarden  is a lightweight, Bitwarden-compatible password manager server. People self-host it to keep full control of their vault data on infrastructure they own, while still using the official Bitwarden apps and browser extensions. On redu, your agent runs Vaultwarden for you on a real VM in the EU, so you set up no servers, proxies, or certificates by hand.

License: Vaultwarden is licensed under AGPL-3.0. It is open source, so you are free to self-host it; in this guide you are the operator running Vaultwarden on your own redu infrastructure.

Deploy it with your agent

This works with any MCP client. Claude Code is shown below as the example.

Connect the redu MCP:

claude mcp add --transport http redu-cloud https://mcp.redu.cloud/mcp

Point your agent at Vaultwarden’s official Docker setup (its official vaultwarden/server image and docker-compose template) and tell it:

Deploy Vaultwarden on redu using its official docker-compose, and expose the web UI.

Your agent uses deploy_compose to run the whole stack on one EU VM with podman-compose up -d --build, then serves the Vaultwarden web UI at https://<name>.redu.cloud. It reads the host port that the compose file maps for the web service and exposes that one service. redu never rewrites your compose file.

Database

Vaultwarden bundles its own datastore: by default it uses an embedded SQLite database that lives in its /data volume, so a basic deploy needs no external database. Keep the default and your vault data persists on the VM’s volume.

If you prefer a separate managed database, Vaultwarden also supports PostgreSQL as an optional backend. In that case you have two clean options:

  • Keep the SQLite default from the official compose setup (simplest, nothing external to run).
  • Have your agent provision a redu managed Postgres and point Vaultwarden at it, for example:
Deploy Vaultwarden on redu, and use a redu managed Postgres for its database.

With the managed option, the database connection env is injected into the compose project’s .env, and DATABASE_* aliases are set alongside the standard Postgres variables so Vaultwarden connects without manual mapping.

Access it

Vaultwarden comes up at https://<name>.redu.cloud with TLS already in place (a wildcard cert), so there is no per-app certificate setup. On first run, open the URL in a browser to create your account and sign in with the Bitwarden apps or extensions; consult the official Vaultwarden docs for admin settings such as controlling open registration.

Keep it running

Deploys are self-healing: redu recreates and retries the stack until Vaultwarden actually runs, and get_deployment returns the build log if you want to see what happened. Day-2, your agent can SSH into the VM (via get_ssh_command and a keypair) to update Vaultwarden, adjust its config, or fix it in place, and commit any fixes back to your repo with a GitHub token.

What’s next

Stuck? support@redu.cloud

Last updated on