Taudris-IAC/stacks/vaultwarden/docker-compose-complex.yml

#pulled from https://github.com/dadatuputi/bitwarden_gcloud
version: '3'

services:
  bitwarden:
    image: vaultwarden/server:alpine
    restart: always
    container_name: bitwarden
    depends_on: 
    - proxy
    volumes:
    - ${PWD}/bitwarden:/data
    - ${PWD}/utilities/backup.sh:/backup.sh:ro
    environment:
    - LOG_FILE=/data/bitwarden.log
    - WEBSOCKET_ENABLED=true            # required for websockets
    - SHOW_PASSWORD_HINT=false
    - DOMAIN=https://${DOMAIN}          # DOMAIN is set in .env but doesn't have protocol prefix
    - SMTP_FROM_NAME=Bitwarden (${DOMAIN})
    - IP_HEADER=X-Forwarded-For
    - ADMIN_TOKEN                       # Value-less variables are set in .env
    - SIGNUPS_ALLOWED
    - SMTP_HOST
    - SMTP_FROM
    - SMTP_PORT
    - SMTP_SSL
    - SMTP_EXPLICIT_TLS
    - SMTP_USERNAME
    - SMTP_PASSWORD
    - YUBICO_CLIENT_ID
    - YUBICO_SECRET_KEY
    - YUBICO_SERVER
    - ORG_CREATE_USER
    - BACKUP
    - BACKUP_DAYS
    - BACKUP_DIR
    - BACKUP_EMAIL_FROM_NAME
    - BACKUP_ENCRYPTION_KEY
    - BACKUP_EMAIL_TO
    - BACKUP_EMAIL_NOTIFY
    - BACKUP_RCLONE_CONF
    - BACKUP_RCLONE_DEST
    command: >
      sh -c 'if [ -n "$BACKUP" ]; 
             then 
               apk --update --no-cache add sqlite
               ln -sf /proc/1/fd/1 /var/log/backup.log &&
               sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&
               echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root && 
               crond -d 8; 
             fi &&
             exec /start.sh'

  proxy:
    # Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning
    # https://caddyserver.com/
    image: caddy/caddy:alpine
    restart: always
    container_name: proxy
    volumes:
    - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
    - ${PWD}/caddy/data:/data
    - caddycerts:/root/.caddy
    ports:
    - 80:80                             # Port 80 is necessary for Let's Encrypt ACME
    - 443:443
    environment:
    - LOG_FILE=/data/logs/caddy.log
    - ACME_AGREE=true                   # agree to ACME for auto HTTPS
    - DOMAIN                            # Value-less variables are set in .env
    - EMAIL


  ddns:
    # This provides a ddclient dynamic dns updating cron which is as simple as running it
    # and editing the ddns/config/ddclient.conf file
    # https://github.com/linuxserver/docker-ddclient
    image: linuxserver/ddclient
    restart: always
    container_name: ddns
    depends_on: 
    - bitwarden
    volumes:
    - ${PWD}/ddns:/config
    environment:
    - PUID
    - PGID
    - TZ


  fail2ban:
    # Implements fail2ban functionality, banning ips that 
    # try to bruteforce your vault
    # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
    # https://github.com/crazy-max/docker-fail2ban
    image: crazymax/fail2ban:latest
    restart: always
    container_name: fail2ban
    depends_on:
    - bitwarden
    volumes:
    - ${PWD}/fail2ban:/data
    - ${PWD}/bitwarden:/bitwarden:ro
    network_mode: "host"
    privileged: true
    cap_add:
    - NET_ADMIN
    - NET_RAW
    environment:
    - F2B_DB_PURGE_AGE=30d
    - F2B_LOG_TARGET=/data/fail2ban.log
    - F2B_LOG_LEVEL=INFO
    - F2B_IPTABLES_CHAIN=INPUT
    - SSMTP_HOST=${SMTP_HOST}
    - SSMTP_PORT=${SMTP_PORT}
    - SSMTP_USER=${SMTP_USERNAME}
    - SSMTP_PASSWORD=${SMTP_PASSWORD}
    - SSMTP_HOSTNAME=Bitwarden (${DOMAIN})
    - SSMTP_TLS=${SMTP_SSL}
    - SSMTP_STARTTLS=YES
    - TZ


  countryblock:
    # The block script will block any country (defaults to CN and AU)
    # Requires cap_add as listed and privileged because it uses iptables and ipset
    # https://hub.docker.com/_/alpine/
    image: alpine:latest
    restart: always
    container_name: countryblock
    depends_on: 
    - bitwarden
    volumes:
    - ${PWD}/countryblock/block.sh:/block.sh:ro
    network_mode: "host"
    privileged: true
    cap_add:
    - NET_ADMIN
    - NET_RAW
    environment:
    - COUNTRIES
    - COUNTRYBLOCK_SCHEDULE
    - TZ
    command: >
      sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata &&
             ln -sf /proc/1/fd/1 /var/log/block.log &&
             sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root &&
             echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root &&
             crond -d 8 &&
             bash /block.sh start'    


  watchtower:
    # Watchtower will pull down your new image, gracefully shut down your existing container 
    # and restart it with the same options that were used when it was deployed initially
    # https://github.com/containrrr/watchtower
    image: containrrr/watchtower
    restart: always
    container_name: watchtower
    depends_on: 
    - bitwarden
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    environment:
    - WATCHTOWER_CLEANUP=true
    - WATCHTOWER_SCHEDULE
    - TZ


volumes:
  caddycerts:
Initial commit. 2021-10-19 23:08:25 -07:00			`#pulled from https://github.com/dadatuputi/bitwarden_gcloud`
			`version: '3'`

			`services:`
			`bitwarden:`
			`image: vaultwarden/server:alpine`
			`restart: always`
			`container_name: bitwarden`
			`depends_on:`
			`- proxy`
			`volumes:`
			`- ${PWD}/bitwarden:/data`
			`- ${PWD}/utilities/backup.sh:/backup.sh:ro`
			`environment:`
			`- LOG_FILE=/data/bitwarden.log`
			`- WEBSOCKET_ENABLED=true # required for websockets`
			`- SHOW_PASSWORD_HINT=false`
			`- DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix`
			`- SMTP_FROM_NAME=Bitwarden (${DOMAIN})`
			`- IP_HEADER=X-Forwarded-For`
			`- ADMIN_TOKEN # Value-less variables are set in .env`
			`- SIGNUPS_ALLOWED`
			`- SMTP_HOST`
			`- SMTP_FROM`
			`- SMTP_PORT`
			`- SMTP_SSL`
			`- SMTP_EXPLICIT_TLS`
			`- SMTP_USERNAME`
			`- SMTP_PASSWORD`
			`- YUBICO_CLIENT_ID`
			`- YUBICO_SECRET_KEY`
			`- YUBICO_SERVER`
			`- ORG_CREATE_USER`
			`- BACKUP`
			`- BACKUP_DAYS`
			`- BACKUP_DIR`
			`- BACKUP_EMAIL_FROM_NAME`
			`- BACKUP_ENCRYPTION_KEY`
			`- BACKUP_EMAIL_TO`
			`- BACKUP_EMAIL_NOTIFY`
			`- BACKUP_RCLONE_CONF`
			`- BACKUP_RCLONE_DEST`
			`command: >`
			`sh -c 'if [ -n "$BACKUP" ];`
			`then`
			`apk --update --no-cache add sqlite`
			`ln -sf /proc/1/fd/1 /var/log/backup.log &&`
			`sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&`
			`echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root &&`
			`crond -d 8;`
			`fi &&`
			`exec /start.sh'`

			`proxy:`
			`# Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning`
			`# https://caddyserver.com/`
			`image: caddy/caddy:alpine`
			`restart: always`
			`container_name: proxy`
			`volumes:`
			`- ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro`
			`- ${PWD}/caddy/data:/data`
			`- caddycerts:/root/.caddy`
			`ports:`
			`- 80:80 # Port 80 is necessary for Let's Encrypt ACME`
			`- 443:443`
			`environment:`
			`- LOG_FILE=/data/logs/caddy.log`
			`- ACME_AGREE=true # agree to ACME for auto HTTPS`
			`- DOMAIN # Value-less variables are set in .env`
			`- EMAIL`


			`ddns:`
			`# This provides a ddclient dynamic dns updating cron which is as simple as running it`
			`# and editing the ddns/config/ddclient.conf file`
			`# https://github.com/linuxserver/docker-ddclient`
			`image: linuxserver/ddclient`
			`restart: always`
			`container_name: ddns`
			`depends_on:`
			`- bitwarden`
			`volumes:`
			`- ${PWD}/ddns:/config`
			`environment:`
			`- PUID`
			`- PGID`
			`- TZ`


			`fail2ban:`
			`# Implements fail2ban functionality, banning ips that`
			`# try to bruteforce your vault`
			`# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup`
			`# https://github.com/crazy-max/docker-fail2ban`
			`image: crazymax/fail2ban:latest`
			`restart: always`
			`container_name: fail2ban`
			`depends_on:`
			`- bitwarden`
			`volumes:`
			`- ${PWD}/fail2ban:/data`
			`- ${PWD}/bitwarden:/bitwarden:ro`
			`network_mode: "host"`
			`privileged: true`
			`cap_add:`
			`- NET_ADMIN`
			`- NET_RAW`
			`environment:`
			`- F2B_DB_PURGE_AGE=30d`
			`- F2B_LOG_TARGET=/data/fail2ban.log`
			`- F2B_LOG_LEVEL=INFO`
			`- F2B_IPTABLES_CHAIN=INPUT`
			`- SSMTP_HOST=${SMTP_HOST}`
			`- SSMTP_PORT=${SMTP_PORT}`
			`- SSMTP_USER=${SMTP_USERNAME}`
			`- SSMTP_PASSWORD=${SMTP_PASSWORD}`
			`- SSMTP_HOSTNAME=Bitwarden (${DOMAIN})`
			`- SSMTP_TLS=${SMTP_SSL}`
			`- SSMTP_STARTTLS=YES`
			`- TZ`


			`countryblock:`
			`# The block script will block any country (defaults to CN and AU)`
			`# Requires cap_add as listed and privileged because it uses iptables and ipset`
			`# https://hub.docker.com/_/alpine/`
			`image: alpine:latest`
			`restart: always`
			`container_name: countryblock`
			`depends_on:`
			`- bitwarden`
			`volumes:`
			`- ${PWD}/countryblock/block.sh:/block.sh:ro`
			`network_mode: "host"`
			`privileged: true`
			`cap_add:`
			`- NET_ADMIN`
			`- NET_RAW`
			`environment:`
			`- COUNTRIES`
			`- COUNTRYBLOCK_SCHEDULE`
			`- TZ`
			`command: >`
			`sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata &&`
			`ln -sf /proc/1/fd/1 /var/log/block.log &&`
			`sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root &&`
			`echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root &&`
			`crond -d 8 &&`
			`bash /block.sh start'`


			`watchtower:`
			`# Watchtower will pull down your new image, gracefully shut down your existing container`
			`# and restart it with the same options that were used when it was deployed initially`
			`# https://github.com/containrrr/watchtower`
			`image: containrrr/watchtower`
			`restart: always`
			`container_name: watchtower`
			`depends_on:`
			`- bitwarden`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock`
			`environment:`
			`- WATCHTOWER_CLEANUP=true`
			`- WATCHTOWER_SCHEDULE`
			`- TZ`


			`volumes:`
			`caddycerts:`