-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
123 lines (123 loc) · 5.06 KB
/
docker-compose.yml
File metadata and controls
123 lines (123 loc) · 5.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
---
services:
traefik:
image: traefik:v3.6.7
container_name: traefik
command:
#- "--log.level=DEBUG"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=you@domain.tld"
- "--certificatesresolvers.myresolver.acme.storage=acme.json"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/docker/vaultwarden/le:/letsencrypt
waf:
image: owasp/modsecurity-crs:4.17.1-apache-alpine-202508061208
container_name: waf
environment:
PORT: "8080"
SSL_ENGINE: "off"
BLOCKING_PARANOIA: 1
ANOMALY_INBOUND: 10
ANOMALY_OUTBOUND: 5
SERVER_NAME: "vaultwarden.ricdros.com"
MODSEC_STATUS_ENGINE: "on"
MODSEC_AUDIT_ENGINE: "on"
MODSEC_AUDIT_LOG: "/dev/stdout"
MODSEC_DEBUG_LOGLEVEL: "0"
MODSEC_DEBUG_LOG: "/dev/stdout"
LOGLEVEL: "warn"
ACCESSLOG: "/dev/stdout"
PROXY: 1
REMOTEIP_INT_PROXY: "172.20.0.1/16"
BACKEND: "http://vaultwarden:80"
BACKEND_WS: "ws://vaultwarden:80/notifications/hub"
PROXY_ERROR_OVERRIDE: "off"
volumes:
- /opt/docker/vaultwarden/waf/log:/var/log/waf
- /opt/docker/vaultwarden/waf-rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
- /opt/docker/vaultwarden/waf-rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.redirect-https.redirectScheme.scheme=https"
- "traefik.http.middlewares.redirect-https.redirectScheme.permanent=true"
- "traefik.http.routers.vw-ui-https.rule=Host(`sub.domain.tld`)"
- "traefik.http.routers.vw-ui-https.entrypoints=websecure"
- "traefik.http.routers.vw-ui-https.tls=true"
- "traefik.http.routers.vw-ui-https.tls.certresolver=myresolver"
- "traefik.http.routers.vw-ui-https.service=vw-ui"
- "traefik.http.routers.vw-ui-http.rule=Host(`sub.domain.tld`)"
- "traefik.http.routers.vw-ui-http.entrypoints=web"
- "traefik.http.routers.vw-ui-http.middlewares=redirect-https"
- "traefik.http.routers.vw-ui-http.service=vw-ui"
- "traefik.http.services.vw-ui.loadbalancer.server.port=8080"
- "traefik.http.routers.vw-websocket-https.rule=Host(`sub.domain.tld`) && Path(`/notifications/hub`)"
- "traefik.http.routers.vw-websocket-https.entrypoints=websecure"
- "traefik.http.routers.vw-websocket-https.tls=true"
- "traefik.http.routers.vw-websocket-https.tls.certresolver=myresolver"
- "traefik.http.routers.vw-websocket-https.service=vw-websocket"
- "traefik.http.routers.vw-websocket-http.rule=Host(`sub.domain.tld`) && Path(`/notifications/hub`)"
- "traefik.http.routers.vw-websocket-http.entrypoints=web"
- "traefik.http.routers.vw-websocket-http.middlewares=redirect-https"
- "traefik.http.routers.vw-websocket-http.service=vw-websocket"
- "traefik.http.services.vw-websocket.loadbalancer.server.port=3012"
vaultwarden:
image: vaultwarden/server:1.35.2-alpine
container_name: vaultwarden
restart: unless-stopped
environment:
WEBSOCKET_ENABLED: "true"
SENDS_ALLOWED: "true"
PASSWORD_ITERATIONS: 500000
SIGNUPS_ALLOWED: "false"
SIGNUPS_VERIFY: "true"
SIGNUPS_DOMAINS_WHITELIST: "domain.tld"
ADMIN_TOKEN: "SUPERSECUREHERE" # See `README.md`
DATABASE_URL: "postgresql://vaultwarden:DB_PASSWORD@vaultwarden-db:5432/vaultwarden" # pragma: allowlist secret
DOMAIN: "https://sub.domain.tld"
SMTP_HOST: "smtp server"
SMTP_FROM: "sender email e.g: you@domain.tld"
SMTP_FROM_NAME: "sender name"
SMTP_SECURITY: "starttls"
SMTP_PORT: 587
SMTP_USERNAME: "smtp username"
SMTP_PASSWORD: "smtp password" # pragma: allowlist secret
LOG_LEVEL: "warn"
EXTENDED_LOGGING: "true"
TZ: "Etc/UTC"
volumes:
- /opt/docker/vaultwarden/data:/data
vaultwarden-db:
image: postgres:18.1-alpine3.22
container_name: vaultwarden-db
restart: unless-stopped
environment:
POSTGRES_DB: vaultwarden
POSTGRES_USER: vaultwarden
POSTGRES_PASSWORD: DB_PASSWORD # pragma: allowlist secret
volumes:
- /opt/docker/vaultwarden/db/data/17:/var/lib/postgresql/data
healthcheck:
test: |
pg_isready -d "$${POSTGRES_DB}" -U "$${POSTGRES_USER}"
start_period: 80s
interval: 30s
timeout: 60s
retries: 5
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.20.0.1/16