2154ca1ce0
- Added BACKUP.md with comprehensive backup/restore documentation - Created backup-vaultwarden.sh for automated PostgreSQL and data backups - Created restore-vaultwarden.sh for safe backup restoration - Fixed HTTP response validation by configuring Vaultwarden-specific headers - Set X-XSS-Protection: 0 (as required by Vaultwarden) - Set X-Frame-Options: SAMEORIGIN for API calls - Removed conflicting secure-headers@file middleware - Added custom vaultwarden-headers middleware - Updated .gitignore to exclude backups/ directory Backup system: - Backs up to /srv/backups/vaultwarden/ (configurable) - Logs to /var/log/vaultwarden/backup.log - 30-day retention policy - Includes PostgreSQL database, RSA key, config, and .env Note: Backup scripts should be moved to /srv/backups/scripts/ for production use 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
68 lines
3.2 KiB
YAML
68 lines
3.2 KiB
YAML
services:
|
|
vaultwarden:
|
|
image: vaultwarden/server:latest
|
|
container_name: vaultwarden
|
|
restart: always
|
|
networks:
|
|
- traefik
|
|
volumes:
|
|
- ./data:/data
|
|
- /etc/localtime:/etc/localtime:ro
|
|
environment:
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- ADMIN_TOKEN=${ADMIN_TOKEN}
|
|
- SIGNUPS_ALLOWED=false
|
|
- DOMAIN=https://${DOMAIN}
|
|
- SMTP_HOST=${SMTP_HOST}
|
|
- SMTP_FROM=${SMTP_FROM}
|
|
- SMTP_PORT=${SMTP_PORT}
|
|
- SMTP_SECURITY=${SMTP_SECURITY}
|
|
- SMTP_USERNAME=${SMTP_USERNAME}
|
|
- SMTP_PASSWORD=${SMTP_PASSWORD}
|
|
labels:
|
|
- "traefik.enable=true"
|
|
|
|
# Vaultwarden-specific security headers
|
|
- "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-XSS-Protection=0"
|
|
- "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
|
|
- "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.Referrer-Policy=same-origin"
|
|
- "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Robots-Tag=noindex, nofollow"
|
|
- "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
|
|
|
|
# HTTP to HTTPS redirect
|
|
- "traefik.http.routers.vaultwarden-http.rule=Host(`${DOMAIN}`)"
|
|
- "traefik.http.routers.vaultwarden-http.entrypoints=http"
|
|
- "traefik.http.routers.vaultwarden-http.service=vaultwarden"
|
|
- "traefik.http.routers.vaultwarden-http.priority=100"
|
|
- "traefik.http.routers.vaultwarden-http.middlewares=redirect-to-https@docker"
|
|
|
|
# Main HTTP/HTTPS router
|
|
- "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
|
|
- "traefik.http.routers.vaultwarden.entrypoints=https"
|
|
- "traefik.http.routers.vaultwarden.tls=true"
|
|
- "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.vaultwarden.service=vaultwarden"
|
|
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
|
|
- "traefik.http.routers.vaultwarden.middlewares=geoblock@file,vaultwarden-headers,crowdsec-bouncer@file"
|
|
|
|
# WebSocket router (required for real-time sync)
|
|
- "traefik.http.routers.vaultwarden-ws.rule=Host(`${DOMAIN}`) && Path(`/notifications/hub`)"
|
|
- "traefik.http.routers.vaultwarden-ws.entrypoints=https"
|
|
- "traefik.http.routers.vaultwarden-ws.tls=true"
|
|
- "traefik.http.routers.vaultwarden-ws.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.vaultwarden-ws.service=vaultwarden-ws"
|
|
- "traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012"
|
|
- "traefik.http.routers.vaultwarden-ws.middlewares=geoblock@file,crowdsec-bouncer@file"
|
|
|
|
# Admin panel router (restricted to internal IPs)
|
|
- "traefik.http.routers.vaultwarden-admin.rule=Host(`${DOMAIN}`) && PathPrefix(`/admin`)"
|
|
- "traefik.http.routers.vaultwarden-admin.entrypoints=https"
|
|
- "traefik.http.routers.vaultwarden-admin.tls=true"
|
|
- "traefik.http.routers.vaultwarden-admin.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.vaultwarden-admin.service=vaultwarden"
|
|
- "traefik.http.routers.vaultwarden-admin.middlewares=internal-whitelist@file,crowdsec-bouncer@file"
|
|
|
|
networks:
|
|
traefik:
|
|
external: true
|