yuna0x0/.env.example

## .env.example
TIMEZONE=Asia/Taipei
VAULTWARDEN_ADMIN_TOKEN=
VAULTWARDEN_LOCALHOST_PORT=6699
CADDY_HOSTNAME=example.com:7777
SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)

## Caddyfile

# Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
# (admin_redir) {
#        @admin {
#                path /admin*
#                not remote_ip private_ranges
#        }
#        redir @admin /
# }

{
  auto_https disable_redirects
}

{$HOSTNAME} {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
  # tls {$EMAIL}

  # Or uncomment this if you're providing your own cert. You would also use this option
  # if you're running behind Cloudflare.
  tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode zstd gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
  header {
    # Enable HTTP Strict Transport Security (HSTS)
    # Strict-Transport-Security "max-age=31536000;"
    # Enable cross-site filter (XSS) and tell browser to block detected attacks
    X-XSS-Protection "1; mode=block"
    # Disallow the site to be rendered within a frame (clickjacking protection)
    X-Frame-Options "SAMEORIGIN"
    # Prevent search engines from indexing (optional)
    X-Robots-Tag "none"
    # Server name removing
    -Server
  }

# Uncomment to allow access to the admin interface only from local networks
# import admin_redir

  # Proxy everything to Rocket
  # if located at a sub-path the reverse_proxy line will look like:
  #   reverse_proxy /subpath/* <SERVER>:80
  reverse_proxy :{$VAULTWARDEN_LOCALHOST_PORT} {
    # Send the true remote IP to Rocket, so that Vaultwarden can put this in the
    # log, so that fail2ban can ban the correct IP.
    header_up X-Real-IP {remote_host}
  }
}

## docker-compose.yml
# Vaultwarden (Caddy) Docker Compose for Synology NAS
version: "3"
services:
  vaultwarden:
    restart: always
    image: "vaultwarden/server:latest"
    container_name: vaultwarden
    environment:
      # Timezone settings, important for Fail2ban to work
      - TZ=${TIMEZONE}
      # Logging connection attemps
      - LOG_FILE=/data/vaultwarden.log
      - ROCKET_ADDRESS=127.0.0.1
      - ROCKET_PORT=${VAULTWARDEN_LOCALHOST_PORT}
      # Beef up a bit
      - ROCKET_WORKERS=20
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
      # - SMTP_HOST=smtp.domain.tld
      # - SMTP_PORT=587
      # - SMTP_FROM=vaultwarden@domain.tld
      # - SMTP_FROM_NAME=Vaultwarden
      # - SMTP_USERNAME=username
      # - SMTP_PASSWORD=password
    network_mode: 'host'
    volumes:
      - /volume1/vaultwarden/vw-data:/data

  caddy:
    restart: always
    image: "caddy:latest"
    container_name: vaultwarden_caddy
    environment:
      - TZ=${TIMEZONE}
      - LOG_FILE=/data/logs/caddy.log
      # Update this if SSL required according to the use of your own cert or requuest one via ACME
      - SSL_CERT_PATH=/syno-cert/fullchain.pem
      - SSL_KEY_PATH=/syno-cert/privkey.pem
      - HOSTNAME=${CADDY_HOSTNAME}
      # - EMAIL=mail@mail.com
      - VAULTWARDEN_LOCALHOST_PORT=${VAULTWARDEN_LOCALHOST_PORT}
    network_mode: 'host'
    volumes:
      - /volume1/vaultwarden/caddy-data/Caddyfile:/etc/caddy/Caddyfile
      - /volume1/vaultwarden/caddy-data/data:/data
      - /volume1/vaultwarden/caddy-data/config:/config
      - ${SYNO_CERT_PATH}:/syno-cert

## run.sh
#!/bin/bash

action="$1"

case "$action" in
    "up")
        # Start the process
        echo "Starting Vaultwarden..."
        SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
        docker-compose -f docker-compose.yml up -d
        ;;
    "up-term")
        # Start the process
        echo "Starting Vaultwarden..."
        SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
        docker-compose -f docker-compose.yml up
        ;;
    "update")
        # Perform an update
        echo "Stopping and Updating Vaultwarden..."
        docker-compose -f docker-compose.yml down
        docker-compose -f docker-compose.yml pull
        ;;
    "down")
        # Stop the process
        echo "Stopping Vaultwarden..."
        docker-compose -f docker-compose.yml down
        ;;
    *)
        # Fallback for no input or other input
        echo "Invalid input. Usage: ./run.sh [up|up-term|update|down]"
        ;;
esac
	TIMEZONE=Asia/Taipei
	VAULTWARDEN_ADMIN_TOKEN=
	VAULTWARDEN_LOCALHOST_PORT=6699
	CADDY_HOSTNAME=example.com:7777
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)

	# Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
	# (admin_redir) {
	# @admin {
	# path /admin*
	# not remote_ip private_ranges
	# }
	# redir @admin /
	# }

	{
	auto_https disable_redirects
	}

	{$HOSTNAME} {
	log {
	level INFO
	output file {$LOG_FILE} {
	roll_size 10MB
	roll_keep 10
	}
	}

	# Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
	# tls {$EMAIL}

	# Or uncomment this if you're providing your own cert. You would also use this option
	# if you're running behind Cloudflare.
	tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

	# This setting may have compatibility issues with some browsers
	# (e.g., attachment downloading on Firefox). Try disabling this
	# if you encounter issues.
	encode zstd gzip

	# Uncomment to improve security (WARNING: only use if you understand the implications!)
	# If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
	header {
	# Enable HTTP Strict Transport Security (HSTS)
	# Strict-Transport-Security "max-age=31536000;"
	# Enable cross-site filter (XSS) and tell browser to block detected attacks
	X-XSS-Protection "1; mode=block"
	# Disallow the site to be rendered within a frame (clickjacking protection)
	X-Frame-Options "SAMEORIGIN"
	# Prevent search engines from indexing (optional)
	X-Robots-Tag "none"
	# Server name removing
	-Server
	}

	# Uncomment to allow access to the admin interface only from local networks
	# import admin_redir

	# Proxy everything to Rocket
	# if located at a sub-path the reverse_proxy line will look like:
	# reverse_proxy /subpath/* <SERVER>:80
	reverse_proxy :{$VAULTWARDEN_LOCALHOST_PORT} {
	# Send the true remote IP to Rocket, so that Vaultwarden can put this in the
	# log, so that fail2ban can ban the correct IP.
	header_up X-Real-IP {remote_host}
	}
	}
	# Vaultwarden (Caddy) Docker Compose for Synology NAS
	version: "3"
	services:
	vaultwarden:
	restart: always
	image: "vaultwarden/server:latest"
	container_name: vaultwarden
	environment:
	# Timezone settings, important for Fail2ban to work
	- TZ=${TIMEZONE}
	# Logging connection attemps
	- LOG_FILE=/data/vaultwarden.log
	- ROCKET_ADDRESS=127.0.0.1
	- ROCKET_PORT=${VAULTWARDEN_LOCALHOST_PORT}
	# Beef up a bit
	- ROCKET_WORKERS=20
	- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
	# - SMTP_HOST=smtp.domain.tld
	# - SMTP_PORT=587
	# - SMTP_FROM=vaultwarden@domain.tld
	# - SMTP_FROM_NAME=Vaultwarden
	# - SMTP_USERNAME=username
	# - SMTP_PASSWORD=password
	network_mode: 'host'
	volumes:
	- /volume1/vaultwarden/vw-data:/data

	caddy:
	restart: always
	image: "caddy:latest"
	container_name: vaultwarden_caddy
	environment:
	- TZ=${TIMEZONE}
	- LOG_FILE=/data/logs/caddy.log
	# Update this if SSL required according to the use of your own cert or requuest one via ACME
	- SSL_CERT_PATH=/syno-cert/fullchain.pem
	- SSL_KEY_PATH=/syno-cert/privkey.pem
	- HOSTNAME=${CADDY_HOSTNAME}
	# - EMAIL=mail@mail.com
	- VAULTWARDEN_LOCALHOST_PORT=${VAULTWARDEN_LOCALHOST_PORT}
	network_mode: 'host'
	volumes:
	- /volume1/vaultwarden/caddy-data/Caddyfile:/etc/caddy/Caddyfile
	- /volume1/vaultwarden/caddy-data/data:/data
	- /volume1/vaultwarden/caddy-data/config:/config
	- ${SYNO_CERT_PATH}:/syno-cert
	#!/bin/bash

	action="$1"

	case "$action" in
	"up")
	# Start the process
	echo "Starting Vaultwarden..."
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
	docker-compose -f docker-compose.yml up -d
	;;
	"up-term")
	# Start the process
	echo "Starting Vaultwarden..."
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
	docker-compose -f docker-compose.yml up
	;;
	"update")
	# Perform an update
	echo "Stopping and Updating Vaultwarden..."
	docker-compose -f docker-compose.yml down
	docker-compose -f docker-compose.yml pull
	;;
	"down")
	# Stop the process
	echo "Stopping Vaultwarden..."
	docker-compose -f docker-compose.yml down
	;;
	*)
	# Fallback for no input or other input
	echo "Invalid input. Usage: ./run.sh [up\|up-term\|update\|down]"
	;;
	esac