🐝

.env

@@ -0,0 +1,75 @@
+# Your domain name without protocol
+# If you don't have your own domain (highly recommended)
+# comment this out for first deployment, add your fly.dev domain here
+# then reset your secrets and redeploy your app (untested)
+DOMAIN_NAME=domain.name.com
+
+###################
+# E-mail settings #
+###################
+
+# the e-mail address used to send e-mails from both vaultwarden and restic
+SMTP_FROM=from@mail.com
+
+# the e-mail address to notify on case of restic backup failure
+SMTP_TO=to@mail.com
+
+# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USERNAME=88888888@gmail.com
+SMTP_PASSWORD=88888888
+
+###################
+# Restic settings #
+###################
+
+# You don't need to initialize this repo beforehand
+RESTIC_REPOSITORY=s3://88888888.r2.cloudflarestorage.com/vaultwarden
+RESTIC_PASSWORD=88888888
+
+# If using S3 (or B2, wasabi, Minio) you'll need those
+AWS_ACCESS_KEY_ID=88888888
+AWS_SECRET_ACCESS_KEY=88888888
+
+
+########################
+# Vaultwarden settings #
+########################
+
+# You can read more about vaultwarden environment variables here
+# https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#configuration-options
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#setting-the-domain-url
+# If you don't have your own domain (highly recommended)
+# comment this out for first deployment, add your fly.dev domain here
+# then reset your secrets and redeploy your app (untested)
+DOMAIN=https://{$DOMAIN_NAME}
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
+SIGNUPS_ALLOWED=false
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains
+# SIGNUPS_DOMAINS_WHITELIST=example.com
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains
+# SIGNUPS_VERIFY=true
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
+# INVITATIONS_ALLOWED=false
+
+# This is commented by default, because I strongly advise setting this only when needed
+# Make sure you read the link below to understand the consequences and to secure the token
+# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
+# ADMIN_TOKEN=secure-token
+
+# Check https://github.com/dani-garcia/vaultwarden/blob/e7f083dee9743bfe4937f5c8149fa9d8383edb96/.env.template#L261-L267
+ORG_CREATION_USERS=admin@gmail.com
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#disable-password-hint-display
+SHOW_PASSWORD_HINT=false
+
+# Check https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
+# You don't need to do any additional configuration, as the template
+# already uses Caddy to configure the websocket proxy
+WEBSOCKET_ENABLED=true

.github/workflows/publish.yaml

@@ -0,0 +1,54 @@
+name: Docker
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '25 2 * * *'
+  push:
+    tags: [ '*' ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw, value=latest, enable={{is_default_branch}}
+            type=semver, pattern={{version}}
+            type=ref, event=branch
+            type=ref, event=tag
+            type=ref, event=pr
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -0,0 +1,57 @@
+FROM vaultwarden/server:1.30.3-alpine
+
+WORKDIR /
+
+ARG SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.2.29/supercronic-linux-amd64 \
+    OVERMIND_URL=https://github.com/DarthSim/overmind/releases/download/v2.4.0/overmind-v2.4.0-linux-amd64.gz
+
+ENV OVERMIND_CAN_DIE=crontab \
+    OVERMIND_PROCFILE=/Procfile \
+
+    ROCKET_PORT=8080 \
+
+    SMTP_HOST=smtp.gmail.com \
+    SMTP_PORT=587 \
+    SMTP_USERNAME=88888888@gmail.com \
+    SMTP_PASSWORD=88888888 \
+    SMTP_FROM=88888888@gmail.com \
+    SMTP_TO= \
+
+    RESTIC_REPOSITORY=s3://88888888.r2.cloudflarestorage.com/vaultwarden \
+    RESTIC_PASSWORD= \
+    AWS_ACCESS_KEY_ID= \
+    AWS_SECRET_ACCESS_KEY=
+
+COPY config/crontab \
+     config/Procfile \
+     config/Caddyfile \
+     scripts/restic.sh \
+     /
+
+RUN apk add --no-cache \
+        curl \
+        caddy \
+        restic \
+        ca-certificates \
+        openssl \
+        tzdata \
+        iptables \
+        ip6tables \
+        iputils-ping \
+        tmux \
+        sqlite \
+        msmtp \
+        mailx \
+
+        && rm -rf /var/cache/apk/* \
+        && curl -fsSL "$SUPERCRONIC_URL" -o /usr/local/bin/supercronic \
+        && curl -fsSL "$OVERMIND_URL" | gunzip -c - > /usr/local/bin/overmind \
+
+        && ln -sf /usr/bin/msmtp /usr/bin/sendmail \
+        && ln -sf /usr/bin/msmtp /usr/sbin/sendmail \
+
+        && chmod +x /usr/local/bin/supercronic \
+        && chmod +x /usr/local/bin/overmind \
+        && chmod +x /restic.sh
+
+CMD ["overmind", "start"]

README.md

@@ -0,0 +1,8 @@
+```
+fly auth login
+fly apps create vaultwarden
+cat .env | fly secrets import
+fly volumes create app_data --size 1
+fly deploy
+fly ssh console
+```

config/Caddyfile

@@ -0,0 +1,46 @@
+{
+	# HTTPS/TLS is handled by Fly or on your domain (eg: Cloudflare)
+	auto_https off
+	admin off
+	persist_config off
+
+	log {
+		output stdout
+		format console
+	}
+}
+
+{$DOMAIN_NAME}:80 {
+	encode gzip
+
+	header / {
+		# Enable HTTP Strict Transport Security (HSTS)
+		Strict-Transport-Security "max-age=31536000;"
+		# Enable cross-site filter (XSS) and tell browser to block detected attacks
+		X-XSS-Protection "1; mode=block"
+		# Disallow the site to be rendered within a frame (clickjacking protection)
+		X-Frame-Options "DENY"
+		# Prevent search engines from indexing
+		X-Robots-Tag "noindex, nofollow"
+		# Disallow sniffing of X-Content-Type-Options
+		X-Content-Type-Options "nosniff"
+		# Server name removing
+		-Server
+		# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
+		-X-Powered-By
+		# Remove Last-Modified because etag is the same and is as effective
+		-Last-Modified
+	}
+
+	# The negotiation endpoint is also proxied to Rocket
+	reverse_proxy /notifications/hub/negotiate localhost:8080
+
+	# Notifications redirected to the websockets server
+	reverse_proxy /notifications/hub localhost:3012
+
+	# Proxy everything else to Rocket
+	reverse_proxy localhost:8080 {
+		# Send the true remote IP to Rocket, so that vaultwarden can put this in the log
+		header_up X-Real-IP {remote_host}
+	}
+}

config/Procfile

@@ -0,0 +1,3 @@
+vaultwarden: /start.sh
+caddy: caddy run --config /Caddyfile
+crontab: supercronic /crontab

config/crontab

@@ -0,0 +1,2 @@
+@hourly /restic.sh
+@hourly /usr/bin/find /var/log/restic/ -name "*.log" -type f -mmin +600 -exec rm -f {} \;

fly.toml

@@ -0,0 +1,26 @@
+app = "vaultwarden"
+primary_region = "hkg"
+kill_signal = "SIGINT"
+kill_timeout = 5
+
+[build]
+  image = "ghcr.io/webees/vaultwarden"
+
+[mounts]
+  source = "app_data"
+  destination = "/data"
+
+[http_service]
+  internal_port = 80
+  force_https = true
+  min_machines_running = 1
+
+[checks]
+  [checks.health]
+    grace_period = "30s"
+    interval = "15s"
+    method = "get"
+    path = "/alive"
+    port = 80
+    timeout = "10s"
+    type = "http"