inital setup

2023-06-10 23:32:22 +02:00
parent 3ca322d327
commit 8366aef3ad
4 changed files with 101 additions and 1 deletions
--- a/.env.sample
+++ b/.env.sample
@@ -0,0 +1,5 @@
+TAG=
+BASEDIR=
+
+# generate token: < /dev/urandom tr -dc A-Za-z0-9 | head -c32;echo;
+ADMIN_TOKEN=
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+files/
+.env
--- a/README.md
+++ b/README.md
@@ -1,2 +1,68 @@
-# compose-vaultwarden
+# Basic Vaultwarden docker-compose config
+* can be run on single node setup or in swarm  

+## howto
+### single node
+#### start container
+```bash
+docker compose up -d
+```
+
+#### stop container (and remove)
+```bash
+docker compose down
+```
+
+#### view logs
+```bash
+docker compose logs -f
+```
+
+#### reload config
+```bash
+docker compose restart
+```
+
+### swarm
+#### start aka deploy
+```bash
+docker stack deploy -c docker-compose.yml caddy
+```
+
+#### stop container aka service
+```bash
+docker service rm caddy_caddy
+```
+
+#### view logs
+```bash
+docker service logs caddy_caddy -f
+```
+
+#### reload config (no downtime if replica 2 or more)
+```bash
+docker service update caddy_caddy --force
+```
+
+## example caddy config
+```
+vault.example.com {
+    header {
+        Strict-Transport-Security max-age=31536000;
+        X-XSS-Protection "1; mode=block"
+        X-Frame-Options DENY
+        X-Robots-Tag none
+        -Server
+    }
+    reverse_proxy vaultwarden:80 {
+        header_up X-Real-IP {remote_host}
+    }
+
+    # disable /admin page via domain (diable for inital config)
+    handle /admin {
+        respond 403
+    }
+
+    reverse_proxy 10.1.16.1:80
+}
+```
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,27 @@
+# https://docs.docker.com/compose/compose-file/compose-file-v3/
+---
+version: "3.9"
+services:
+  vault:
+    image: vaultwarden/server:${TAG:-latest}
+    container_name: vault
+    env_file: .env
+    restart: unless-stopped
+    ports:
+      - 80:80
+    deploy:
+      replicas: 1
+      placement:
+        max_replicas_per_node: 1
+      update_config:
+        parallelism: 1
+        delay: 10s
+    volumes:
+      - ${BASEDIR:-./files/}:/data/
+    networks:
+      - backend
+
+networks:
+  frontend:
+    name: ${INTRANET:-backend}
+    external: true