This commit is contained in:
msnie
2024-02-03 11:58:42 +01:00
parent 17ca1c805f
commit 5b0b5f548c
706 changed files with 135245 additions and 0 deletions
+40
View File
@@ -0,0 +1,40 @@
VIRTUAL_HOST=bw.knast.cc
HOST=bw.knast.cc
DOMAIN_NAME=knast.cc
DEFAULT_NETWORK=traefik
PROJECT_IDENTIFIER=vaultwarden
NGINX_PORT=80
ADMIN_TOKEN=SebVYisM722hPXmBDLBnS6AkVPSjMnZcHJSsMTNF
SIGNUPS_ALLOWED=true
SIGNUPS_VERIFY=true
INVITATIONS_ALLOWED=true
SHOW_PASSWORD_HINT=false
# Those options must be enabled in the docker-compose file:
SMTP_HOST=
SMTP_FROM=
SMTP_PORT=
SMTP_SECURITY=starttls
SMTP_USERNAME=
SMTP_PASSWORD=
WEBSOCKET_ENABLED=true
DOMAIN=${VIRTUAL_HOST}
SIGNUPS_DOMAINS_WHITELIST=
DISABLE_ADMIN_TOKEN=false
YUBICO_CLIENT_ID=
YUBICO_SECRET_KEY=
YUBICO_SERVER=
LOG_FILE=/data/vaultwarden.log
LOG_LEVEL=warn
USE_SYSLOG=
EXTENDED_LOGGING=
+6
View File
@@ -0,0 +1,6 @@
/.idea/*
/Data/Vaultwarden/*
/Data/Vaultwarden-Backup/*
!/Data/Vaultwarden/.gitkeep
!/Data/Vaultwarden-Backup/.gitkeep
@@ -0,0 +1,6 @@
FROM nginx:1.21.4-alpine
ADD default.conf.template /default.conf.template
ADD run_nginx.sh /run_nginx.sh
RUN chmod +x /run_nginx.sh
@@ -0,0 +1,37 @@
server {
listen 80;
server_name bw.knast.cc;
# server_name localhost;
client_body_temp_path /tmp/nginx;
client_max_body_size 128M;
ssl_protocols TLSv1.3;
ssl_reject_handshake on;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# the header prevents clickjacking
add_header X-Frame-Options "SAMEORIGIN";
# block Cross-Site scripting
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://vaultwarden;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://vaultwarden:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://vaultwarden:80;
}
}
+8
View File
@@ -0,0 +1,8 @@
#!/bin/sh
set -e
set -u
envsubst '${NGINX_PORT}' < /default.conf.template > /etc/nginx/conf.d/default.conf
nginx -g "daemon off;"
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2021 Enes Erk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
+119
View File
@@ -0,0 +1,119 @@
# Vaultwarden with Traefik
This repository helps to host your own [Vaultwarden](https://github.com/dani-garcia/vaultwarden) instance on your
server or a raspberry-pi.
## Usage
Edit your settings in the `.env` file.
Start the containers with
```shell
docker-compose up -d
```
:warning: You have to install [Traefik](https://github.com/erkenes/docker-traefik) as well.
## Settings
In the docker-compose.yml file the admin-token is disabled. If this setting is disabled you are not able to open the
admin page (`yourhost.local/admin`).
## Configuration for environment variables
### SIGNUPS_ALLOWED
By default, anyone who can access your instance can register for a new account. To disable this, set the
`SIGNUPS_ALLOWED` env variable to false.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users)
### SIGNUPS_DOMAINS_WHITELIST
You can restrict registration to email addresses from certain domains by setting `SIGNUPS_DOMAINS_WHITELIST` accordingly.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains)
### SIGNUPS_VERIFY
Require email verification to finish the registration.
### INVITATIONS_ALLOWED
Even when registration is disabled (`SIGNUPS_ALLOWED`), organization administrators or owners can invite users to join
organization.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations)
### ADMIN_TOKEN
Activated the admin page. This page allows server administrators to view all the registered users and to delete them. It
also shows inviting
new users, even when registration is disabled.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page)
### DISABLE_ADMIN_TOKEN
If you have another method to authenticate the admin page then you can set the `DISABLE_ADMIN_TOKEN` variable to true.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token)
### WEBSOCKET_ENABLED
Informs the browser and desktop Bitwarden clients that some event of interest has occurred, such as when an entry in the
password database has been modified or deleted.
This setting is not applicable to mobile Bitwarden clients (Android/iOS) because these use the native push notification
service instead.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications)
### DOMAIN
The domain of your vaultwarden instance (should be the same as `VIRTUAL_HOST`).
This is required for U2F and FIDO2 WebAuthn authentication.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-U2F-%28and-FIDO2-WebAuthn%29-authentication)
### YubiKey OTP Authentication
You need a `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` to allow authentication with a Yubikey.
If `YUBICO_SERVER` is not set the default YubiCloud servers are used.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication)
### SMTP Configuration
- `SMTP_HOST`: The host server of the mail server
- `SMTP_FROM`: the mail address which should be used for sending mails
- `SMTP_PORT`: the port of the smtp server
- `SMTP_SECURITY`: the protocol that should be used (default: starttls, options: force_tls, off, starttls)
- `SMTP_USERNAME`: the username of the smtp user
- `SMTP_PASSWORD`: the password of the smtp user
This requires to set the `DOMAIN` variable.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration)
### SHOW_PASSWORD_HINT
Usually, password hints are sent by email. But as vaultwarden is made with small or personal deployment in mind,
hints are also available from the password hint page, so you don't have to configure an email service.
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display)
### Logging
- `LOG_LEVEL`: options are: "trace", "debug", "info", "warn", "error" or "off". NOTE: Using the log level "warn" or "error" still allows Fail2Ban to work properly.
- `USE_SYSLOG`
- `EXTENDED_LOGGING`
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging)
### Syncing users from LDAP
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Syncing-users-from-LDAP)
+23
View File
@@ -0,0 +1,23 @@
server {
listen 80;
server_name bw.knast.cc;
client_max_body_size 128M;
location / {
proxy_pass http://bitwarden-backend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://bitwarden-backend:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://bitwarden-backend:80;
}
}
+149
View File
@@ -0,0 +1,149 @@
version: '3.8'
services:
bitwarden-frontend:
image: nginx:1.15-alpine
container_name: bitwarden-frontend
restart: unless-stopped
volumes:
- ./bitwarden.conf:/etc/nginx/conf.d/bitwarden.conf
networks:
- traefik
- db
depends_on:
- bitwarden-backend
labels:
- "traefik.enable=true"
- "traefik.http.routers.bw.entrypoints=websecure"
- "traefik.http.routers.bw.rule=Host(`bw.$DOMAIN_NAME`)"
- "traefik.http.routers.bw.tls.certresolver=letsencr"
- "traefik.docker.network=traefik"
- "traefik.http.services.bw.loadbalancer.server.port=80"
logging:
driver: "json-file"
options:
max-size: "1m"
bitwarden-backend:
image: vaultwarden/server:latest
container_name: bitwarden-backend
restart: unless-stopped
volumes:
- /srv/vaultwarden_data:/data
environment:
- WEBSOCKET_ENABLED=true
networks:
- db
logging:
driver: "json-file"
options:
max-size: "1m"
bitwarden-backup:
image: bruceforce/bw_backup:latest
container_name: bitwarden-backup
restart: unless-stopped
depends_on:
- bitwarden-backend
volumes:
- /srv/vaultwarden_data:/data
- /srv/vaultwarden_data_backup:/backup
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- DB_FILE=/data/db.sqlite3
- BACKUP_FILE=/backup/backup.sqlite3
- CRON_TIME=0 1 * * *
- TIMESTAMP=false
- UID=0
- GID=0
networks:
- db
logging:
driver: "json-file"
options:
max-size: "1m"
# version: '3.9'
# services:
# vaultwarden:
# image: vaultwarden/server:latest #swap tag to raspberry to run on a raspberry pi
# volumes:
# - '/srv/vaultwarden_data:/data'
# restart: on-failure
# environment:
# WEBSOCKET_ENABLED: '${WEBSOCKET_ENABLED}'
# SIGNUPS_ALLOWED: '${SIGNUPS_ALLOWED}'
# # SIGNUPS_DOMAINS_WHITELIST: '${SIGNUPS_DOMAINS_WHITELIST}'
# SIGNUPS_VERIFY: '${SIGNUPS_VERIFY}'
# INVITATIONS_ALLOWED: '${INVITATIONS_ALLOWED}'
# SHOW_PASSWORD_HINT: '${SHOW_PASSWORD_HINT}'
# # ADMIN_TOKEN: '${ADMIN_TOKEN}'
# # DISABLE_ADMIN_TOKEN: '${DISABLE_ADMIN_TOKEN}'
# # Mail Server
# # SMTP_HOST: '${SMTP_HOST}'
# # SMTP_FROM: '${SMTP_FROM}'
# # SMTP_PORT: '${SMTP_PORT}'
# # SMTP_SECURITY: '${SMTP_SECURITY}'
# # SMTP_USERNAME: '${SMTP_USERNAME}'
# # SMTP_PASSWORD: '${SMTP_PASSWORD}'
# # Logging
# LOG_FILE: '/data/vaultwarden.log'
# LOG_LEVEL: '${LOG_LEVEL}'
# # USE_SYSLOG: '${USE_SYSLOG}'
# # EXTENDED_LOGGING: '${EXTENDED_LOGGING}'
# # YubiKey authentication
# # YUBICO_CLIENT_ID: '${YUBICO_CLIENT_ID}'
# # YUBICO_SECRET_KEY: '${YUBICO_SECRET_KEY}'
# # YUBICO_SERVER: '${YUBICO_SERVER}'
# nginx:
# build: './Docker/nginx'
# links:
# - vaultwarden
# - vw_backup
# environment:
# VIRTUAL_HOST: '${VIRTUAL_HOST}'
# command: /bin/sh -c "/run_nginx.sh"
# restart: on-failure
# networks:
# - traefik
# - db
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.bw.entrypoints=websecure"
# - "traefik.http.routers.bw.rule=Host(`bw.$DOMAIN_NAME`)"
# - "traefik.http.routers.bw.tls.certresolver=letsencr"
# - "traefik.docker.network=traefik"
# - "traefik.http.services.bw.loadbalancer.server.port=80"
# vw_backup:
# image: bruceforce/bw_backup:latest #swap tag to rpi3 to run on a raspberry pi
# restart: on-failure
# depends_on:
# - vaultwarden
# networks:
# - db
# volumes:
# - '/srv/vaultwarden_data:/data'
# - '/srv/vaultwarden_data_backup:/backup'
# - '/etc/timezone:/etc/timezone:ro'
# - '/etc/localtime:/etc/localtime:ro'
# environment:
# - DB_FILE=/data/db.sqlite3
# - BACKUP_FILE=/backup/backup.sqlite3
# - BACKUP_FILE_PERMISSIONS=700
# - CRON_TIME=0 1 * * *
# - TIMESTAMP=false
# - UID=0
# - GID=0
networks:
traefik:
external: true
db:
external: false