---
title: OneCLI Gateway Setup — Bitwarden Vault Integration
created: 2026-06-16
updated: 2026-06-16
type: note
tags: [project, workflow]
---

# OneCLI Gateway Setup — Bitwarden Vault Integration

## Problem

The OneCLI web UI showed "Failed to connect to vault" when trying to pair
with Bitwarden. The Rust gateway binary (port 10255) was neither running
nor exposed via the reverse proxy.

## Solution

Three things were needed:

### 1. Gateway systemd service

Created `/etc/systemd/system/onecli-gateway.service` with:
- Rust binary at `apps/gateway/target/release/onecli-gateway`
- Wrapper script `start-gateway.sh` (DATABASE_URL, SECRET_ENCRYPTION_KEY, AUTH_MODE=*** APP_URL)
- After=onecli-postgresql.service, Restart=on-failure

### 2. Traefik reverse proxy

Exposed the gateway at a subdomain:
- `gateway.onecli.anhydr.fr` -> server:10255
- CORS middleware needed: allow origin `https://onecli.anhydr.fr` with credentials

### 3. Web app rebuild

- Set `GATEWAY_API_DOMAIN=gateway.onecli.anhydr.fr` in start-web.sh
- Added Next.js rewrite: `/v1/*` -> `localhost:10255`
- Rebuilt with `GATEWAY_API_DOMAIN=gateway.onecli.anhydr.fr pnpm build`
- Result: `window.__GATEWAY_API_URL__ = "https://gateway.onecli.anhydr.fr"`

## Key commands

```bash
# Build gateway
cargo build --release  # in apps/gateway/

# Rebuild web app
PATH="/home/hermes/.hermes/node/bin:$PATH"
GATEWAY_API_DOMAIN="gateway.onecli.anhydr.fr" pnpm build --filter=@onecli/web

# Restart services
sudo systemctl restart onecli
```

## Architecture

```
User browser -> onecli.anhydr.fr -> Traefik -> :10254 (Next.js)
             -> gateway.onecli.anhydr.fr -> Traefik -> :10255 (Rust gateway)
                                                         -> wss://ap.lesspassword.dev
```

## Verification

```bash
curl -s https://gateway.onecli.anhydr.fr/v1/vault/bitwarden/status
# -> {"connected":false,"name":null,"status_data":null}
```