53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
x-info:
|
|
repo: https://github.com/dani-garcia/vaultwarden
|
|
releases: https://github.com/dani-garcia/vaultwarden/releases
|
|
documentation: https://github.com/dani-garcia/vaultwarden#readme
|
|
|
|
services:
|
|
vaultwarden:
|
|
image: vaultwarden/server:1.35.5
|
|
container_name: vaultwarden
|
|
restart: unless-stopped
|
|
networks:
|
|
- proxy-net
|
|
environment:
|
|
DOMAIN: "https://vault.castaldifamily.com"
|
|
WEBSOCKET_ENABLED: "true"
|
|
SIGNUPS_ALLOWED: "true"
|
|
INVITATIONS_ALLOWED: "true"
|
|
ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}" # Store in .env or vault
|
|
SHOW_PASSWORD_HINT: "false"
|
|
volumes:
|
|
- /mnt/appdata/vaultwarden/data:/data/
|
|
# ports:
|
|
# - 127.0.0.1:8000:80
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
labels:
|
|
# Enable Traefik
|
|
- "traefik.enable=true"
|
|
|
|
# HTTPS Router
|
|
- "traefik.http.routers.vaultwarden.rule=Host(`vault.castaldifamily.com`)"
|
|
- "traefik.http.routers.vaultwarden.entrypoints=websecure"
|
|
- "traefik.http.routers.vaultwarden.tls=true"
|
|
- "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
|
|
- "traefik.http.routers.vaultwarden.service=vaultwarden"
|
|
|
|
# Apply existing security headers + stricter rate limit for password manager
|
|
- "traefik.http.routers.vaultwarden.middlewares=security-headers@file,vaultwarden-ratelimit"
|
|
|
|
# Service definition
|
|
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
|
|
|
|
# Custom rate limit (stricter than basic for password manager)
|
|
- "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=20"
|
|
- "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=40"
|
|
|
|
networks:
|
|
proxy-net:
|
|
external: true
|