diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..0a014cf --- /dev/null +++ b/Caddyfile @@ -0,0 +1,32 @@ +{$DOMAIN}:443 { + log { + level INFO + output file {$LOG_FILE} { + roll_size 10MB + roll_keep 10 + } + } + + # Use the ACME HTTP-01 challenge to get a cert for the configured domain. + tls {$EMAIL} + + # This setting may have compatibility issues with some browsers + # (e.g., attachment downloading on Firefox). Try disabling this + # if you encounter issues. + encode gzip + + # Notifications redirected to the WebSocket server + reverse_proxy /notifications/hub vaultwarden:3012 + + # Proxy everything else to Rocket + reverse_proxy vaultwarden:80 { + # Send the true remote IP to Rocket, so that vaultwarden can put this in the + # log, so that fail2ban can ban the correct IP. + header_up X-Real-IP {remote_host} + header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" + header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" + header_down X-XSS-Protection "0" + header_down Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; form-action 'none'; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*" + header_down Expect-CT: "enforce, max-age=63072000" + } +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..c4f076e --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# Synapse-Docker-Compose +Vaultwarden Docker-Compose + +1. Update `docker-compose.yml` +2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want. \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f5330de --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,71 @@ +version: '3' + +services: + vaultwarden: + image: vaultwarden/server:alpine + container_name: vaultwarden + restart: unless-stopped + environment: + - WEBSOCKET_ENABLED=true # Enable WebSocket notifications. + - DATABASE_URL=postgresql://vaultwarden:YOUR_POSTGRESQL_PASSWORD@postgres:5432/vaultwarden + - ADMIN_TOKEN=YOUR_ADMIN_PASSWORD + volumes: + - vaultwarden:/data + networks: + - vaultwarden + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + caddy: + image: caddy:alpine + container_name: caddy + restart: unless-stopped + ports: + - 80:80 # Needed for the ACME HTTP-01 challenge. + - 443:443 + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile:Z + - ./caddy-config:/config:Z + - ./caddy-data:/data:Z + environment: + - DOMAIN=YOUR_DOMAIN # Your domain. + - EMAIL=YOUR_EMAIL # The email address to use for ACME registration. + - LOG_FILE=/data/access.log + networks: + - vaultwarden + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CAP_NET_BIND_SERVICE + + postgres: + image: postgres:alpine + container_name: postgres + volumes: + - postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=vaultwarden + - POSTGRES_PASSWORD=YOUR_POSTGRESQL_PASSWORD + restart: unless-stopped + networks: + - vaultwarden + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_READ_SEARCH + - SETGID + - SETUID + +volumes: + postgres: + vaultwarden: + +networks: + vaultwarden: \ No newline at end of file