#pulled from https://github.com/dadatuputi/bitwarden_gcloud version: '3' services: bitwarden: image: vaultwarden/server:alpine restart: always container_name: bitwarden depends_on: - proxy volumes: - ${PWD}/bitwarden:/data - ${PWD}/utilities/backup.sh:/backup.sh:ro environment: - LOG_FILE=/data/bitwarden.log - WEBSOCKET_ENABLED=true # required for websockets - SHOW_PASSWORD_HINT=false - DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix - SMTP_FROM_NAME=Bitwarden (${DOMAIN}) - IP_HEADER=X-Forwarded-For - ADMIN_TOKEN # Value-less variables are set in .env - SIGNUPS_ALLOWED - SMTP_HOST - SMTP_FROM - SMTP_PORT - SMTP_SSL - SMTP_EXPLICIT_TLS - SMTP_USERNAME - SMTP_PASSWORD - YUBICO_CLIENT_ID - YUBICO_SECRET_KEY - YUBICO_SERVER - ORG_CREATE_USER - BACKUP - BACKUP_DAYS - BACKUP_DIR - BACKUP_EMAIL_FROM_NAME - BACKUP_ENCRYPTION_KEY - BACKUP_EMAIL_TO - BACKUP_EMAIL_NOTIFY - BACKUP_RCLONE_CONF - BACKUP_RCLONE_DEST command: > sh -c 'if [ -n "$BACKUP" ]; then apk --update --no-cache add sqlite ln -sf /proc/1/fd/1 /var/log/backup.log && sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root && echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root && crond -d 8; fi && exec /start.sh' proxy: # Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning # https://caddyserver.com/ image: caddy/caddy:alpine restart: always container_name: proxy volumes: - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro - ${PWD}/caddy/data:/data - caddycerts:/root/.caddy ports: - 80:80 # Port 80 is necessary for Let's Encrypt ACME - 443:443 environment: - LOG_FILE=/data/logs/caddy.log - ACME_AGREE=true # agree to ACME for auto HTTPS - DOMAIN # Value-less variables are set in .env - EMAIL ddns: # This provides a ddclient dynamic dns updating cron which is as simple as running it # and editing the ddns/config/ddclient.conf file # https://github.com/linuxserver/docker-ddclient image: linuxserver/ddclient restart: always container_name: ddns depends_on: - bitwarden volumes: - ${PWD}/ddns:/config environment: - PUID - PGID - TZ fail2ban: # Implements fail2ban functionality, banning ips that # try to bruteforce your vault # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup # https://github.com/crazy-max/docker-fail2ban image: crazymax/fail2ban:latest restart: always container_name: fail2ban depends_on: - bitwarden volumes: - ${PWD}/fail2ban:/data - ${PWD}/bitwarden:/bitwarden:ro network_mode: "host" privileged: true cap_add: - NET_ADMIN - NET_RAW environment: - F2B_DB_PURGE_AGE=30d - F2B_LOG_TARGET=/data/fail2ban.log - F2B_LOG_LEVEL=INFO - F2B_IPTABLES_CHAIN=INPUT - SSMTP_HOST=${SMTP_HOST} - SSMTP_PORT=${SMTP_PORT} - SSMTP_USER=${SMTP_USERNAME} - SSMTP_PASSWORD=${SMTP_PASSWORD} - SSMTP_HOSTNAME=Bitwarden (${DOMAIN}) - SSMTP_TLS=${SMTP_SSL} - SSMTP_STARTTLS=YES - TZ countryblock: # The block script will block any country (defaults to CN and AU) # Requires cap_add as listed and privileged because it uses iptables and ipset # https://hub.docker.com/_/alpine/ image: alpine:latest restart: always container_name: countryblock depends_on: - bitwarden volumes: - ${PWD}/countryblock/block.sh:/block.sh:ro network_mode: "host" privileged: true cap_add: - NET_ADMIN - NET_RAW environment: - COUNTRIES - COUNTRYBLOCK_SCHEDULE - TZ command: > sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata && ln -sf /proc/1/fd/1 /var/log/block.log && sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root && echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root && crond -d 8 && bash /block.sh start' watchtower: # Watchtower will pull down your new image, gracefully shut down your existing container # and restart it with the same options that were used when it was deployed initially # https://github.com/containrrr/watchtower image: containrrr/watchtower restart: always container_name: watchtower depends_on: - bitwarden volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - WATCHTOWER_CLEANUP=true - WATCHTOWER_SCHEDULE - TZ volumes: caddycerts: