Scoder12/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Vaultwarden docker-compose nginx

My setup for vaultwarden. Uses a custom certificate authority to sign certificates.
Expects vaultwarden.crt and vaultwarden.pem to be in ./crts.
See https://github.com/ttionya/vaultwarden-backup for instructions on how to configure rclone for backups.

  
## docker-compose.yml
version: "3.9"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - vaultwarden-data:/data/
    ports:
      - "81:80"
      - "3012:3012"

  nginx:
    image: nginx:latest
    restart: unless-stopped
    volumes:
      - ${PWD}/nginx.conf:/etc/nginx/conf.d/vaultwarden.conf:ro
      - ${PWD}/crts/:/etc/nginx/crts/:ro
    ports:
      - "82:80"
      - "443:443"
    command: [nginx-debug, "-g", "daemon off;"]

  backup:
    image: ttionya/vaultwarden-backup:latest
    restart: unless-stopped
    environment:
      # Remote config
      RCLONE_REMOTE_NAME: crypt
      RCLONE_REMOTE_DIR: 'data'
      # In addition to date, add time to filenames
      BACKUP_FILE_DATE_SUFFIX: '_%H-%M-%S'
      # Backup once an hour
      CRON: '25 * * * *'
      # Clear old entries to save drive space
      BACKUP_KEEP_DAYS: '7'
      # Makes restoring easier as only have to keep track of single file
      ZIP_ENABLE: 'TRUE'
      # I literally don't care, using rclone crypt
      ZIP_PASSWORD: 'hai'
      # Better compression
      ZIP_TYPE: '7z'
      # My timezone
      TIMEZONE: 'America/Los_Angeles'
      # use healthchecks.io
      PING_URL: 'https://hc-ping.com/eef25fcd-54ba-49a7-917f-5fd7cb0395b0'
    # hack for weird time64 bug on debian
    # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0#time64_requirements
    security_opt:
      - seccomp=default.json
    volumes:
      - vaultwarden-rclone-data:/config/
      - vaultwarden-data:/bitwarden/data/

volumes:
  vaultwarden-data:
    name: vaultwarden-data
  vaultwarden-rclone-data:
    external: true
    name: vaultwarden-rclone-data

## nginx.conf
# Redirect HTTP to HTTPS
# disclaimer: I am bad at nginx
# note: `server_name`s aren't used
# note: websocket doesn't work for some reason as vaultwarden doesn't seem to be listening on 3012. odd.

server {
    listen 80;
    listen [::]:80;
    server_name localhost;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name localhost;

  ssl_certificate /etc/nginx/crts/vaultwarden.crt;
  ssl_certificate_key /etc/nginx/crts/vaultwarden.pem;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://vaultwarden:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://vaultwarden:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://vaultwarden:80;
  }
}
	version: "3.9"
	services:
	vaultwarden:
	image: vaultwarden/server:latest
	restart: unless-stopped
	volumes:
	- vaultwarden-data:/data/
	ports:
	- "81:80"
	- "3012:3012"

	nginx:
	image: nginx:latest
	restart: unless-stopped
	volumes:
	- ${PWD}/nginx.conf:/etc/nginx/conf.d/vaultwarden.conf:ro
	- ${PWD}/crts/:/etc/nginx/crts/:ro
	ports:
	- "82:80"
	- "443:443"
	command: [nginx-debug, "-g", "daemon off;"]

	backup:
	image: ttionya/vaultwarden-backup:latest
	restart: unless-stopped
	environment:
	# Remote config
	RCLONE_REMOTE_NAME: crypt
	RCLONE_REMOTE_DIR: 'data'
	# In addition to date, add time to filenames
	BACKUP_FILE_DATE_SUFFIX: '_%H-%M-%S'
	# Backup once an hour
	CRON: '25 * * * *'
	# Clear old entries to save drive space
	BACKUP_KEEP_DAYS: '7'
	# Makes restoring easier as only have to keep track of single file
	ZIP_ENABLE: 'TRUE'
	# I literally don't care, using rclone crypt
	ZIP_PASSWORD: 'hai'
	# Better compression
	ZIP_TYPE: '7z'
	# My timezone
	TIMEZONE: 'America/Los_Angeles'
	# use healthchecks.io
	PING_URL: 'https://hc-ping.com/eef25fcd-54ba-49a7-917f-5fd7cb0395b0'
	# hack for weird time64 bug on debian
	# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0#time64_requirements
	security_opt:
	- seccomp=default.json
	volumes:
	- vaultwarden-rclone-data:/config/
	- vaultwarden-data:/bitwarden/data/

	volumes:
	vaultwarden-data:
	name: vaultwarden-data
	vaultwarden-rclone-data:
	external: true
	name: vaultwarden-rclone-data
	# Redirect HTTP to HTTPS
	# disclaimer: I am bad at nginx
	# note: `server_name`s aren't used
	# note: websocket doesn't work for some reason as vaultwarden doesn't seem to be listening on 3012. odd.

	server {
	listen 80;
	listen [::]:80;
	server_name localhost;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name localhost;

	ssl_certificate /etc/nginx/crts/vaultwarden.crt;
	ssl_certificate_key /etc/nginx/crts/vaultwarden.pem;

	# Allow large attachments
	client_max_body_size 128M;

	location / {
	proxy_pass http://vaultwarden:80;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	}

	location /notifications/hub {
	proxy_pass http://vaultwarden:3012;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	location /notifications/hub/negotiate {
	proxy_pass http://vaultwarden:80;
	}
	}