re init
This commit is contained in:
@@ -0,0 +1,40 @@
|
||||
VIRTUAL_HOST=bw.knast.cc
|
||||
HOST=bw.knast.cc
|
||||
|
||||
DOMAIN_NAME=knast.cc
|
||||
DEFAULT_NETWORK=traefik
|
||||
|
||||
PROJECT_IDENTIFIER=vaultwarden
|
||||
|
||||
NGINX_PORT=80
|
||||
|
||||
ADMIN_TOKEN=SebVYisM722hPXmBDLBnS6AkVPSjMnZcHJSsMTNF
|
||||
|
||||
SIGNUPS_ALLOWED=true
|
||||
SIGNUPS_VERIFY=true
|
||||
INVITATIONS_ALLOWED=true
|
||||
SHOW_PASSWORD_HINT=false
|
||||
|
||||
# Those options must be enabled in the docker-compose file:
|
||||
SMTP_HOST=
|
||||
SMTP_FROM=
|
||||
SMTP_PORT=
|
||||
SMTP_SECURITY=starttls
|
||||
SMTP_USERNAME=
|
||||
SMTP_PASSWORD=
|
||||
|
||||
|
||||
WEBSOCKET_ENABLED=true
|
||||
DOMAIN=${VIRTUAL_HOST}
|
||||
|
||||
SIGNUPS_DOMAINS_WHITELIST=
|
||||
DISABLE_ADMIN_TOKEN=false
|
||||
|
||||
YUBICO_CLIENT_ID=
|
||||
YUBICO_SECRET_KEY=
|
||||
YUBICO_SERVER=
|
||||
|
||||
LOG_FILE=/data/vaultwarden.log
|
||||
LOG_LEVEL=warn
|
||||
USE_SYSLOG=
|
||||
EXTENDED_LOGGING=
|
||||
@@ -0,0 +1,6 @@
|
||||
/.idea/*
|
||||
/Data/Vaultwarden/*
|
||||
/Data/Vaultwarden-Backup/*
|
||||
|
||||
!/Data/Vaultwarden/.gitkeep
|
||||
!/Data/Vaultwarden-Backup/.gitkeep
|
||||
@@ -0,0 +1,6 @@
|
||||
FROM nginx:1.21.4-alpine
|
||||
|
||||
ADD default.conf.template /default.conf.template
|
||||
ADD run_nginx.sh /run_nginx.sh
|
||||
|
||||
RUN chmod +x /run_nginx.sh
|
||||
@@ -0,0 +1,37 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name bw.knast.cc;
|
||||
# server_name localhost;
|
||||
|
||||
client_body_temp_path /tmp/nginx;
|
||||
client_max_body_size 128M;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_reject_handshake on;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
|
||||
|
||||
# the header prevents clickjacking
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
|
||||
# block Cross-Site scripting
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
location / {
|
||||
proxy_pass http://vaultwarden;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_pass http://vaultwarden:3012;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location /notifications/hub/negotiate {
|
||||
proxy_pass http://vaultwarden:80;
|
||||
}
|
||||
}
|
||||
Executable
+8
@@ -0,0 +1,8 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
set -u
|
||||
|
||||
envsubst '${NGINX_PORT}' < /default.conf.template > /etc/nginx/conf.d/default.conf
|
||||
|
||||
nginx -g "daemon off;"
|
||||
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2021 Enes Erk
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,119 @@
|
||||
# Vaultwarden with Traefik
|
||||
|
||||
This repository helps to host your own [Vaultwarden](https://github.com/dani-garcia/vaultwarden) instance on your
|
||||
server or a raspberry-pi.
|
||||
|
||||
## Usage
|
||||
|
||||
Edit your settings in the `.env` file.
|
||||
|
||||
Start the containers with
|
||||
|
||||
```shell
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
:warning: You have to install [Traefik](https://github.com/erkenes/docker-traefik) as well.
|
||||
|
||||
## Settings
|
||||
|
||||
In the docker-compose.yml file the admin-token is disabled. If this setting is disabled you are not able to open the
|
||||
admin page (`yourhost.local/admin`).
|
||||
|
||||
## Configuration for environment variables
|
||||
|
||||
### SIGNUPS_ALLOWED
|
||||
|
||||
By default, anyone who can access your instance can register for a new account. To disable this, set the
|
||||
`SIGNUPS_ALLOWED` env variable to false.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users)
|
||||
|
||||
### SIGNUPS_DOMAINS_WHITELIST
|
||||
|
||||
You can restrict registration to email addresses from certain domains by setting `SIGNUPS_DOMAINS_WHITELIST` accordingly.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains)
|
||||
|
||||
### SIGNUPS_VERIFY
|
||||
|
||||
Require email verification to finish the registration.
|
||||
|
||||
### INVITATIONS_ALLOWED
|
||||
|
||||
Even when registration is disabled (`SIGNUPS_ALLOWED`), organization administrators or owners can invite users to join
|
||||
organization.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations)
|
||||
|
||||
### ADMIN_TOKEN
|
||||
|
||||
Activated the admin page. This page allows server administrators to view all the registered users and to delete them. It
|
||||
also shows inviting
|
||||
new users, even when registration is disabled.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page)
|
||||
|
||||
### DISABLE_ADMIN_TOKEN
|
||||
|
||||
If you have another method to authenticate the admin page then you can set the `DISABLE_ADMIN_TOKEN` variable to true.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token)
|
||||
|
||||
### WEBSOCKET_ENABLED
|
||||
|
||||
Informs the browser and desktop Bitwarden clients that some event of interest has occurred, such as when an entry in the
|
||||
password database has been modified or deleted.
|
||||
|
||||
This setting is not applicable to mobile Bitwarden clients (Android/iOS) because these use the native push notification
|
||||
service instead.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications)
|
||||
|
||||
### DOMAIN
|
||||
|
||||
The domain of your vaultwarden instance (should be the same as `VIRTUAL_HOST`).
|
||||
|
||||
This is required for U2F and FIDO2 WebAuthn authentication.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-U2F-%28and-FIDO2-WebAuthn%29-authentication)
|
||||
|
||||
### YubiKey OTP Authentication
|
||||
|
||||
You need a `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` to allow authentication with a Yubikey.
|
||||
|
||||
If `YUBICO_SERVER` is not set the default YubiCloud servers are used.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication)
|
||||
|
||||
### SMTP Configuration
|
||||
|
||||
- `SMTP_HOST`: The host server of the mail server
|
||||
- `SMTP_FROM`: the mail address which should be used for sending mails
|
||||
- `SMTP_PORT`: the port of the smtp server
|
||||
- `SMTP_SECURITY`: the protocol that should be used (default: starttls, options: force_tls, off, starttls)
|
||||
- `SMTP_USERNAME`: the username of the smtp user
|
||||
- `SMTP_PASSWORD`: the password of the smtp user
|
||||
|
||||
This requires to set the `DOMAIN` variable.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration)
|
||||
|
||||
### SHOW_PASSWORD_HINT
|
||||
|
||||
Usually, password hints are sent by email. But as vaultwarden is made with small or personal deployment in mind,
|
||||
hints are also available from the password hint page, so you don't have to configure an email service.
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display)
|
||||
|
||||
### Logging
|
||||
|
||||
- `LOG_LEVEL`: options are: "trace", "debug", "info", "warn", "error" or "off". NOTE: Using the log level "warn" or "error" still allows Fail2Ban to work properly.
|
||||
- `USE_SYSLOG`
|
||||
- `EXTENDED_LOGGING`
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging)
|
||||
|
||||
### Syncing users from LDAP
|
||||
|
||||
[More information](https://github.com/dani-garcia/vaultwarden/wiki/Syncing-users-from-LDAP)
|
||||
@@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name bw.knast.cc;
|
||||
client_max_body_size 128M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://bitwarden-backend:80;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_pass http://bitwarden-backend:3012;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location /notifications/hub/negotiate {
|
||||
proxy_pass http://bitwarden-backend:80;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,149 @@
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
bitwarden-frontend:
|
||||
image: nginx:1.15-alpine
|
||||
container_name: bitwarden-frontend
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./bitwarden.conf:/etc/nginx/conf.d/bitwarden.conf
|
||||
networks:
|
||||
- traefik
|
||||
- db
|
||||
depends_on:
|
||||
- bitwarden-backend
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.bw.entrypoints=websecure"
|
||||
- "traefik.http.routers.bw.rule=Host(`bw.$DOMAIN_NAME`)"
|
||||
- "traefik.http.routers.bw.tls.certresolver=letsencr"
|
||||
- "traefik.docker.network=traefik"
|
||||
- "traefik.http.services.bw.loadbalancer.server.port=80"
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "1m"
|
||||
|
||||
bitwarden-backend:
|
||||
image: vaultwarden/server:latest
|
||||
container_name: bitwarden-backend
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /srv/vaultwarden_data:/data
|
||||
environment:
|
||||
- WEBSOCKET_ENABLED=true
|
||||
networks:
|
||||
- db
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "1m"
|
||||
|
||||
bitwarden-backup:
|
||||
image: bruceforce/bw_backup:latest
|
||||
container_name: bitwarden-backup
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
- bitwarden-backend
|
||||
volumes:
|
||||
- /srv/vaultwarden_data:/data
|
||||
- /srv/vaultwarden_data_backup:/backup
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
environment:
|
||||
- DB_FILE=/data/db.sqlite3
|
||||
- BACKUP_FILE=/backup/backup.sqlite3
|
||||
- CRON_TIME=0 1 * * *
|
||||
- TIMESTAMP=false
|
||||
- UID=0
|
||||
- GID=0
|
||||
networks:
|
||||
- db
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "1m"
|
||||
|
||||
|
||||
# version: '3.9'
|
||||
|
||||
# services:
|
||||
# vaultwarden:
|
||||
# image: vaultwarden/server:latest #swap tag to raspberry to run on a raspberry pi
|
||||
# volumes:
|
||||
# - '/srv/vaultwarden_data:/data'
|
||||
# restart: on-failure
|
||||
# environment:
|
||||
# WEBSOCKET_ENABLED: '${WEBSOCKET_ENABLED}'
|
||||
# SIGNUPS_ALLOWED: '${SIGNUPS_ALLOWED}'
|
||||
# # SIGNUPS_DOMAINS_WHITELIST: '${SIGNUPS_DOMAINS_WHITELIST}'
|
||||
# SIGNUPS_VERIFY: '${SIGNUPS_VERIFY}'
|
||||
# INVITATIONS_ALLOWED: '${INVITATIONS_ALLOWED}'
|
||||
# SHOW_PASSWORD_HINT: '${SHOW_PASSWORD_HINT}'
|
||||
# # ADMIN_TOKEN: '${ADMIN_TOKEN}'
|
||||
# # DISABLE_ADMIN_TOKEN: '${DISABLE_ADMIN_TOKEN}'
|
||||
|
||||
# # Mail Server
|
||||
# # SMTP_HOST: '${SMTP_HOST}'
|
||||
# # SMTP_FROM: '${SMTP_FROM}'
|
||||
# # SMTP_PORT: '${SMTP_PORT}'
|
||||
# # SMTP_SECURITY: '${SMTP_SECURITY}'
|
||||
# # SMTP_USERNAME: '${SMTP_USERNAME}'
|
||||
# # SMTP_PASSWORD: '${SMTP_PASSWORD}'
|
||||
|
||||
# # Logging
|
||||
# LOG_FILE: '/data/vaultwarden.log'
|
||||
# LOG_LEVEL: '${LOG_LEVEL}'
|
||||
# # USE_SYSLOG: '${USE_SYSLOG}'
|
||||
# # EXTENDED_LOGGING: '${EXTENDED_LOGGING}'
|
||||
|
||||
# # YubiKey authentication
|
||||
# # YUBICO_CLIENT_ID: '${YUBICO_CLIENT_ID}'
|
||||
# # YUBICO_SECRET_KEY: '${YUBICO_SECRET_KEY}'
|
||||
# # YUBICO_SERVER: '${YUBICO_SERVER}'
|
||||
|
||||
# nginx:
|
||||
# build: './Docker/nginx'
|
||||
# links:
|
||||
# - vaultwarden
|
||||
# - vw_backup
|
||||
# environment:
|
||||
# VIRTUAL_HOST: '${VIRTUAL_HOST}'
|
||||
# command: /bin/sh -c "/run_nginx.sh"
|
||||
# restart: on-failure
|
||||
# networks:
|
||||
# - traefik
|
||||
# - db
|
||||
# labels:
|
||||
# - "traefik.enable=true"
|
||||
# - "traefik.http.routers.bw.entrypoints=websecure"
|
||||
# - "traefik.http.routers.bw.rule=Host(`bw.$DOMAIN_NAME`)"
|
||||
# - "traefik.http.routers.bw.tls.certresolver=letsencr"
|
||||
# - "traefik.docker.network=traefik"
|
||||
# - "traefik.http.services.bw.loadbalancer.server.port=80"
|
||||
|
||||
# vw_backup:
|
||||
# image: bruceforce/bw_backup:latest #swap tag to rpi3 to run on a raspberry pi
|
||||
# restart: on-failure
|
||||
# depends_on:
|
||||
# - vaultwarden
|
||||
# networks:
|
||||
# - db
|
||||
# volumes:
|
||||
# - '/srv/vaultwarden_data:/data'
|
||||
# - '/srv/vaultwarden_data_backup:/backup'
|
||||
# - '/etc/timezone:/etc/timezone:ro'
|
||||
# - '/etc/localtime:/etc/localtime:ro'
|
||||
# environment:
|
||||
# - DB_FILE=/data/db.sqlite3
|
||||
# - BACKUP_FILE=/backup/backup.sqlite3
|
||||
# - BACKUP_FILE_PERMISSIONS=700
|
||||
# - CRON_TIME=0 1 * * *
|
||||
# - TIMESTAMP=false
|
||||
# - UID=0
|
||||
# - GID=0
|
||||
networks:
|
||||
traefik:
|
||||
external: true
|
||||
db:
|
||||
external: false
|
||||
Reference in New Issue
Block a user