Self-hosted instance of Bitwarden works pretty well, and you can make it accessible behind a VPN to your local network only (plus there are multiple implementations of its back-end). Less-automated solutions make impractical concessions in usability.
Oh, I'm sure Vaultwarden is much more resource-friendly, but even then:
a user's password list is arguably the most important thing on the device.
And I'm not sure you need a "web interface" to something that in the end is nothing more than an encrypted text file, which is why I always recommend pass[0] or using the browser's built-in pw manager for people that don't know ssh and git.
For whatever it's worth, I think people should be a little careful about using Pass. From their website:
> With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.
This is the exact problem that LastPass just got hit with (okay, one of multiple problems) -- the vault doesn't encrypt the URLs of the sites you visit. Pass is really elegant, but it leaks a ton of metadata in pursuit of that elegance. Tracking password changes unencrypted in Git really seems like it's just asking for trouble.
Yeah, the actual passwords are encrypted and stay encrypted, and that's great -- but we've just seen with LastPass that it kind of matters that the entire vault be encrypted. I personally think there are better ways to get a CLI interface than exposing the site list.
For tech-savvy people - https://www.passwordstore.org/
The rest doesn't work unfortunately, proven over and over.