Initial Commit

Signed-off-by: Tommy <contact@tommytran.io>
2024-11-22 05:01:33 -05:00 · 2022-09-11 15:44:04 -04:00 · 2022-09-11 15:44:04 -04:00 · 007cd5d841
commit 007cd5d841
parent 81e6da7737
3 changed files with 108 additions and 0 deletions
--- a/32
+++ b/32
@ -0,0 +1,32 @@
+{$DOMAIN}:443 {
+  log {
+    level INFO
+    output file {$LOG_FILE} {
+      roll_size 10MB
+      roll_keep 10
+    }
+  }
+
+  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
+  tls {$EMAIL}
+
+  # This setting may have compatibility issues with some browsers
+  # (e.g., attachment downloading on Firefox). Try disabling this
+  # if you encounter issues.
+  encode gzip
+
+  # Notifications redirected to the WebSocket server
+  reverse_proxy /notifications/hub vaultwarden:3012
+
+  # Proxy everything else to Rocket
+  reverse_proxy vaultwarden:80 {
+       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
+       # log, so that fail2ban can ban the correct IP.
+       header_up X-Real-IP {remote_host}
+       header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+       header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()"
+       header_down X-XSS-Protection "0"
+       header_down Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; form-action 'none'; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*"
+       header_down Expect-CT: "enforce, max-age=63072000"
+  }
+}
--- a/README.md
+++ b/README.md
@ -0,0 +1,5 @@
+# Synapse-Docker-Compose
+Vaultwarden Docker-Compose
+
+1. Update `docker-compose.yml`
+2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,71 @@
+version: '3'
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:alpine
+    container_name: vaultwarden
+    restart: unless-stopped
+    environment:
+      - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
+      - DATABASE_URL=postgresql://vaultwarden:YOUR_POSTGRESQL_PASSWORD@postgres:5432/vaultwarden
+      - ADMIN_TOKEN=YOUR_ADMIN_PASSWORD
+    volumes:
+      - vaultwarden:/data
+    networks:
+      - vaultwarden
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
+  caddy:
+    image: caddy:alpine
+    container_name: caddy
+    restart: unless-stopped
+    ports:
+      - 80:80  # Needed for the ACME HTTP-01 challenge.
+      - 443:443
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:Z
+      - ./caddy-config:/config:Z
+      - ./caddy-data:/data:Z
+    environment:
+      - DOMAIN=YOUR_DOMAIN  # Your domain.
+      - EMAIL=YOUR_EMAIL         # The email address to use for ACME registration.
+      - LOG_FILE=/data/access.log
+    networks:
+      - vaultwarden
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+
+  postgres:
+    image: postgres:alpine
+    container_name: postgres
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=vaultwarden
+      - POSTGRES_PASSWORD=YOUR_POSTGRESQL_PASSWORD
+    restart: unless-stopped
+    networks: 
+      - vaultwarden
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_READ_SEARCH
+      - SETGID
+      - SETUID
+
+volumes:
+  postgres:
+  vaultwarden:
+
+networks:
+  vaultwarden: