-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 560b6b8
Showing
9 changed files
with
391 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Your domain name without protocol | ||
# If you don't have your own domain (highly recommended) | ||
# comment this out for first deployment, add your fly.dev domain here | ||
# then reset your secrets and redeploy your app (untested) | ||
DOMAIN_NAME=domain.name.com | ||
|
||
################### | ||
# E-mail settings # | ||
################### | ||
|
||
# the e-mail address used to send e-mails from both vaultwarden and restic | ||
SMTP_FROM=from@mail.com | ||
|
||
# the e-mail address to notify on case of restic backup failure | ||
SMTP_TO=to@mail.com | ||
|
||
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration | ||
SMTP_HOST=smtp.gmail.com | ||
SMTP_PORT=587 | ||
SMTP_USERNAME=88888888@gmail.com | ||
SMTP_PASSWORD=88888888 | ||
|
||
################### | ||
# Restic settings # | ||
################### | ||
|
||
# You don't need to initialize this repo beforehand | ||
RESTIC_REPOSITORY=s3://88888888.r2.cloudflarestorage.com/vaultwarden | ||
RESTIC_PASSWORD=88888888 | ||
|
||
# If using S3 (or B2, wasabi, Minio) you'll need those | ||
AWS_ACCESS_KEY_ID=88888888 | ||
AWS_SECRET_ACCESS_KEY=88888888 | ||
|
||
|
||
######################## | ||
# Vaultwarden settings # | ||
######################## | ||
|
||
# You can read more about vaultwarden environment variables here | ||
# https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#configuration-options | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#setting-the-domain-url | ||
# If you don't have your own domain (highly recommended) | ||
# comment this out for first deployment, add your fly.dev domain here | ||
# then reset your secrets and redeploy your app (untested) | ||
DOMAIN=https://{$DOMAIN_NAME} | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users | ||
SIGNUPS_ALLOWED=false | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains | ||
# SIGNUPS_DOMAINS_WHITELIST=example.com | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains | ||
# SIGNUPS_VERIFY=true | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations | ||
# INVITATIONS_ALLOWED=false | ||
|
||
# This is commented by default, because I strongly advise setting this only when needed | ||
# Make sure you read the link below to understand the consequences and to secure the token | ||
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page | ||
# ADMIN_TOKEN=secure-token | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/blob/e7f083dee9743bfe4937f5c8149fa9d8383edb96/.env.template#L261-L267 | ||
ORG_CREATION_USERS=admin@gmail.com | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#disable-password-hint-display | ||
SHOW_PASSWORD_HINT=false | ||
|
||
# Check https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications | ||
# You don't need to do any additional configuration, as the template | ||
# already uses Caddy to configure the websocket proxy | ||
WEBSOCKET_ENABLED=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
name: Docker | ||
|
||
on: | ||
workflow_dispatch: {} | ||
schedule: | ||
- cron: '25 2 * * *' | ||
push: | ||
tags: [ '*' ] | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
IMAGE_NAME: ${{ github.repository }} | ||
|
||
jobs: | ||
build: | ||
|
||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Log into registry ${{ env.REGISTRY }} | ||
if: github.event_name != 'pull_request' | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract Docker metadata | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
tags: | | ||
type=raw, value=latest, enable={{is_default_branch}} | ||
type=semver, pattern={{version}} | ||
type=ref, event=branch | ||
type=ref, event=tag | ||
type=ref, event=pr | ||
- name: Build and push Docker image | ||
id: build-and-push | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: . | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
FROM vaultwarden/server:1.30.3-alpine | ||
|
||
WORKDIR / | ||
|
||
ARG SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.2.29/supercronic-linux-amd64 \ | ||
OVERMIND_URL=https://github.com/DarthSim/overmind/releases/download/v2.4.0/overmind-v2.4.0-linux-amd64.gz | ||
|
||
ENV OVERMIND_CAN_DIE=crontab \ | ||
OVERMIND_PROCFILE=/Procfile \ | ||
|
||
ROCKET_PORT=8080 \ | ||
|
||
SMTP_HOST=smtp.gmail.com \ | ||
SMTP_PORT=587 \ | ||
SMTP_USERNAME=88888888@gmail.com \ | ||
SMTP_PASSWORD=88888888 \ | ||
SMTP_FROM=88888888@gmail.com \ | ||
SMTP_TO= \ | ||
|
||
RESTIC_REPOSITORY=s3://88888888.r2.cloudflarestorage.com/vaultwarden \ | ||
RESTIC_PASSWORD= \ | ||
AWS_ACCESS_KEY_ID= \ | ||
AWS_SECRET_ACCESS_KEY= | ||
|
||
COPY config/crontab \ | ||
config/Procfile \ | ||
config/Caddyfile \ | ||
scripts/restic.sh \ | ||
/ | ||
|
||
RUN apk add --no-cache \ | ||
curl \ | ||
caddy \ | ||
restic \ | ||
ca-certificates \ | ||
openssl \ | ||
tzdata \ | ||
iptables \ | ||
ip6tables \ | ||
iputils-ping \ | ||
tmux \ | ||
sqlite \ | ||
msmtp \ | ||
mailx \ | ||
|
||
&& rm -rf /var/cache/apk/* \ | ||
&& curl -fsSL "$SUPERCRONIC_URL" -o /usr/local/bin/supercronic \ | ||
&& curl -fsSL "$OVERMIND_URL" | gunzip -c - > /usr/local/bin/overmind \ | ||
|
||
&& ln -sf /usr/bin/msmtp /usr/bin/sendmail \ | ||
&& ln -sf /usr/bin/msmtp /usr/sbin/sendmail \ | ||
|
||
&& chmod +x /usr/local/bin/supercronic \ | ||
&& chmod +x /usr/local/bin/overmind \ | ||
&& chmod +x /restic.sh | ||
|
||
CMD ["overmind", "start"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
``` | ||
fly auth login | ||
fly apps create vaultwarden | ||
cat .env | fly secrets import | ||
fly volumes create app_data --size 1 | ||
fly deploy | ||
fly ssh console | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
{ | ||
# HTTPS/TLS is handled by Fly or on your domain (eg: Cloudflare) | ||
auto_https off | ||
admin off | ||
persist_config off | ||
|
||
log { | ||
output stdout | ||
format console | ||
} | ||
} | ||
|
||
{$DOMAIN_NAME}:80 { | ||
encode gzip | ||
|
||
header / { | ||
# Enable HTTP Strict Transport Security (HSTS) | ||
Strict-Transport-Security "max-age=31536000;" | ||
# Enable cross-site filter (XSS) and tell browser to block detected attacks | ||
X-XSS-Protection "1; mode=block" | ||
# Disallow the site to be rendered within a frame (clickjacking protection) | ||
X-Frame-Options "DENY" | ||
# Prevent search engines from indexing | ||
X-Robots-Tag "noindex, nofollow" | ||
# Disallow sniffing of X-Content-Type-Options | ||
X-Content-Type-Options "nosniff" | ||
# Server name removing | ||
-Server | ||
# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove | ||
-X-Powered-By | ||
# Remove Last-Modified because etag is the same and is as effective | ||
-Last-Modified | ||
} | ||
|
||
# The negotiation endpoint is also proxied to Rocket | ||
reverse_proxy /notifications/hub/negotiate localhost:8080 | ||
|
||
# Notifications redirected to the websockets server | ||
reverse_proxy /notifications/hub localhost:3012 | ||
|
||
# Proxy everything else to Rocket | ||
reverse_proxy localhost:8080 { | ||
# Send the true remote IP to Rocket, so that vaultwarden can put this in the log | ||
header_up X-Real-IP {remote_host} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
vaultwarden: /start.sh | ||
caddy: caddy run --config /Caddyfile | ||
crontab: supercronic /crontab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
@hourly /restic.sh | ||
@hourly /usr/bin/find /var/log/restic/ -name "*.log" -type f -mmin +600 -exec rm -f {} \; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
app = "vaultwarden" | ||
primary_region = "hkg" | ||
kill_signal = "SIGINT" | ||
kill_timeout = 5 | ||
|
||
[build] | ||
image = "ghcr.io/webees/vaultwarden" | ||
|
||
[mounts] | ||
source = "app_data" | ||
destination = "/data" | ||
|
||
[http_service] | ||
internal_port = 80 | ||
force_https = true | ||
min_machines_running = 1 | ||
|
||
[checks] | ||
[checks.health] | ||
grace_period = "30s" | ||
interval = "15s" | ||
method = "get" | ||
path = "/alive" | ||
port = 80 | ||
timeout = "10s" | ||
type = "http" |
Oops, something went wrong.