sumarsono.com
Take it with a grain of salt

Vaultwarden Caddy Docker Compose

Posted on

Caddy v2

cat caddy/docker-compose.yaml

version: '3'
services:
  caddy:
    image: caddy:alpine
    container_name: webserver
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy_data:/data
      - ./caddy_config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile
    networks:
      - proxy-network
networks:
  proxy-network:
   external: true

cat caddy/Caddyfile

{
    email [email protected]
    acme_ca https://acme.zerossl.com/v2/DV90
    # optional
    # acme_eab {
    #     key_id  your kbid
    #     mac_key your hmac key
    # }
}

(security_header) {
    header {
        Content-Security-Policy "upgrade-insecure-requests"
        #Strict-Transport-Security max-age=31536000;
        X-Content-Type-Options nosniff;
        X-XSS-Protection "1; mode=block;"
        X-Robots-Tag none;
        X-Frame-Options SAMEORIGIN;
        Referrer-Policy no-referrer-when-downgrade;
    }
}

(cors) {
  @origin{args.0} header Origin {args.0}
  header @origin{args.0} Access-Control-Allow-Origin "{args.0}"
  header @origin{args.0} Vary Origin
}

yoursub.domain.tld {
    reverse_proxy /notifications/hub bitwarden:3012
    reverse_proxy bitwarden:80
    import security_header
}

Vaultwarden

cat bitwarden/docker-compose.yaml

version: '3'

services:
  bitwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - IP_HEADER=X-Forwarded-For
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://yoursub.domain.tld
      - SMTP_HOST=
      - SMTP_FROM=
      - SMTP_PORT=587
      - SMTP_SSL=true
      - SMTP_USERNAME=
      - SMTP_PASSWORD=
      - ADMIN_TOKEN=random_admin_token
      - DATABASE_URL=mysql://db_user:db_passwd@db_host/db_name
    volumes:
      - ./data:/data
    networks:
      - internal-network
      - proxy-network

networks:
  internal-network:
    external: true
  proxy-network:
    external: true

MariaDB

cat mariadb/docker-compose.yaml

version: '3'
services:
  mariadb:
    image: mariadb:10.5
    container_name: mariadb
    volumes:
      - db_data:/var/lib/mysql
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: strong_root_passwd
      MYSQL_DATABASE: db_name
      MYSQL_USER: db_user
      MYSQL_PASSWORD: db_passwd
    volumes:
      - './db/data:/var/lib/mysql'
      - './db/my.cnf:/etc/mysql/conf.d/my.cnf'
      - './db/sql:/docker-entrypoint-initdb.d'
    networks:
      - internal-network

networks:
  internal-network:
    external: true