171 lines
4.8 KiB
YAML
171 lines
4.8 KiB
YAML
#pulled from https://github.com/dadatuputi/bitwarden_gcloud
|
|
version: '3'
|
|
|
|
services:
|
|
bitwarden:
|
|
image: vaultwarden/server:alpine
|
|
restart: always
|
|
container_name: bitwarden
|
|
depends_on:
|
|
- proxy
|
|
volumes:
|
|
- ${PWD}/bitwarden:/data
|
|
- ${PWD}/utilities/backup.sh:/backup.sh:ro
|
|
environment:
|
|
- LOG_FILE=/data/bitwarden.log
|
|
- WEBSOCKET_ENABLED=true # required for websockets
|
|
- SHOW_PASSWORD_HINT=false
|
|
- DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix
|
|
- SMTP_FROM_NAME=Bitwarden (${DOMAIN})
|
|
- IP_HEADER=X-Forwarded-For
|
|
- ADMIN_TOKEN # Value-less variables are set in .env
|
|
- SIGNUPS_ALLOWED
|
|
- SMTP_HOST
|
|
- SMTP_FROM
|
|
- SMTP_PORT
|
|
- SMTP_SSL
|
|
- SMTP_EXPLICIT_TLS
|
|
- SMTP_USERNAME
|
|
- SMTP_PASSWORD
|
|
- YUBICO_CLIENT_ID
|
|
- YUBICO_SECRET_KEY
|
|
- YUBICO_SERVER
|
|
- ORG_CREATE_USER
|
|
- BACKUP
|
|
- BACKUP_DAYS
|
|
- BACKUP_DIR
|
|
- BACKUP_EMAIL_FROM_NAME
|
|
- BACKUP_ENCRYPTION_KEY
|
|
- BACKUP_EMAIL_TO
|
|
- BACKUP_EMAIL_NOTIFY
|
|
- BACKUP_RCLONE_CONF
|
|
- BACKUP_RCLONE_DEST
|
|
command: >
|
|
sh -c 'if [ -n "$BACKUP" ];
|
|
then
|
|
apk --update --no-cache add sqlite
|
|
ln -sf /proc/1/fd/1 /var/log/backup.log &&
|
|
sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&
|
|
echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root &&
|
|
crond -d 8;
|
|
fi &&
|
|
exec /start.sh'
|
|
|
|
proxy:
|
|
# Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning
|
|
# https://caddyserver.com/
|
|
image: caddy/caddy:alpine
|
|
restart: always
|
|
container_name: proxy
|
|
volumes:
|
|
- ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- ${PWD}/caddy/data:/data
|
|
- caddycerts:/root/.caddy
|
|
ports:
|
|
- 80:80 # Port 80 is necessary for Let's Encrypt ACME
|
|
- 443:443
|
|
environment:
|
|
- LOG_FILE=/data/logs/caddy.log
|
|
- ACME_AGREE=true # agree to ACME for auto HTTPS
|
|
- DOMAIN # Value-less variables are set in .env
|
|
- EMAIL
|
|
|
|
|
|
ddns:
|
|
# This provides a ddclient dynamic dns updating cron which is as simple as running it
|
|
# and editing the ddns/config/ddclient.conf file
|
|
# https://github.com/linuxserver/docker-ddclient
|
|
image: linuxserver/ddclient
|
|
restart: always
|
|
container_name: ddns
|
|
depends_on:
|
|
- bitwarden
|
|
volumes:
|
|
- ${PWD}/ddns:/config
|
|
environment:
|
|
- PUID
|
|
- PGID
|
|
- TZ
|
|
|
|
|
|
fail2ban:
|
|
# Implements fail2ban functionality, banning ips that
|
|
# try to bruteforce your vault
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
|
|
# https://github.com/crazy-max/docker-fail2ban
|
|
image: crazymax/fail2ban:latest
|
|
restart: always
|
|
container_name: fail2ban
|
|
depends_on:
|
|
- bitwarden
|
|
volumes:
|
|
- ${PWD}/fail2ban:/data
|
|
- ${PWD}/bitwarden:/bitwarden:ro
|
|
network_mode: "host"
|
|
privileged: true
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
environment:
|
|
- F2B_DB_PURGE_AGE=30d
|
|
- F2B_LOG_TARGET=/data/fail2ban.log
|
|
- F2B_LOG_LEVEL=INFO
|
|
- F2B_IPTABLES_CHAIN=INPUT
|
|
- SSMTP_HOST=${SMTP_HOST}
|
|
- SSMTP_PORT=${SMTP_PORT}
|
|
- SSMTP_USER=${SMTP_USERNAME}
|
|
- SSMTP_PASSWORD=${SMTP_PASSWORD}
|
|
- SSMTP_HOSTNAME=Bitwarden (${DOMAIN})
|
|
- SSMTP_TLS=${SMTP_SSL}
|
|
- SSMTP_STARTTLS=YES
|
|
- TZ
|
|
|
|
|
|
countryblock:
|
|
# The block script will block any country (defaults to CN and AU)
|
|
# Requires cap_add as listed and privileged because it uses iptables and ipset
|
|
# https://hub.docker.com/_/alpine/
|
|
image: alpine:latest
|
|
restart: always
|
|
container_name: countryblock
|
|
depends_on:
|
|
- bitwarden
|
|
volumes:
|
|
- ${PWD}/countryblock/block.sh:/block.sh:ro
|
|
network_mode: "host"
|
|
privileged: true
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
environment:
|
|
- COUNTRIES
|
|
- COUNTRYBLOCK_SCHEDULE
|
|
- TZ
|
|
command: >
|
|
sh -c 'apk --update --no-cache add ipset iptables ip6tables wget bash tzdata &&
|
|
ln -sf /proc/1/fd/1 /var/log/block.log &&
|
|
sed -i "/bash \\/block\\.sh update/d" /etc/crontabs/root &&
|
|
echo "$COUNTRYBLOCK_SCHEDULE bash /block.sh update" >> /etc/crontabs/root &&
|
|
crond -d 8 &&
|
|
bash /block.sh start'
|
|
|
|
|
|
watchtower:
|
|
# Watchtower will pull down your new image, gracefully shut down your existing container
|
|
# and restart it with the same options that were used when it was deployed initially
|
|
# https://github.com/containrrr/watchtower
|
|
image: containrrr/watchtower
|
|
restart: always
|
|
container_name: watchtower
|
|
depends_on:
|
|
- bitwarden
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
- WATCHTOWER_CLEANUP=true
|
|
- WATCHTOWER_SCHEDULE
|
|
- TZ
|
|
|
|
|
|
volumes:
|
|
caddycerts: |