diff --git a/Using-Docker-Compose.md b/Using-Docker-Compose.md index 00d2508..5928048 100644 --- a/Using-Docker-Compose.md +++ b/Using-Docker-Compose.md @@ -4,9 +4,8 @@ This guide is based on [#126 (comment)](https://github.com/dani-garcia/bitwarden Create a `docker-compose.yml` file based on this: ```yml -#docker-compose.yml - -version: "3" +# docker-compose.yml +version: '3' services: bitwarden: @@ -15,8 +14,8 @@ services: volumes: - ./bw-data:/data environment: - WEBSOCKET_ENABLED: "true" # Required to use websockets - SIGNUPS_ALLOWED: "true" # set to false to disable signups + WEBSOCKET_ENABLED: 'true' # Required to use websockets + SIGNUPS_ALLOWED: 'true' # set to false to disable signups caddy: image: abiosoft/caddy @@ -28,19 +27,20 @@ services: - 80:80 # needed for Let's Encrypt - 443:443 environment: - ACME_AGREE: "true" # agree to Let's Encrypt Subscriber Agreement - DOMAIN: "bitwarden.example.org" # CHANGE THIS! Used for Auto Let's Encrypt SSL - EMAIL: "bitwarden@example.org" # CHANGE THIS! Optional, provided to Let's Encrypt + ACME_AGREE: 'true' # agree to Let's Encrypt Subscriber Agreement + DOMAIN: 'bitwarden.example.org' # CHANGE THIS! Used for Auto Let's Encrypt SSL + EMAIL: 'bitwarden@example.org' # CHANGE THIS! Optional, provided to Let's Encrypt + volumes: caddycerts: ``` and the corresponding `Caddyfile` (does not need to be modified): ```nginx -#Caddyfile - +# Caddyfile {$DOMAIN} { tls {$EMAIL} + gzip header / { # Enable HTTP Strict Transport Security (HSTS) @@ -49,6 +49,8 @@ and the corresponding `Caddyfile` (does not need to be modified): X-XSS-Protection "1; mode=block" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" + # Prevent search engines from indexing (optional) + #X-Robots-Tag "none" } # The negotiation endpoint is also proxied to Rocket @@ -80,31 +82,25 @@ docker-compose down stops and destroys the containers. If there's no need for websocket notifications, you can run Bitwarden_rs alone. Here's my example. Actually I'm running Bitwarden_rs on my Raspberry Pi and I'm using bitwardenrs/server:raspberry image. If you want to do the same, remember to change it to the example. -``` -#docker-compose.yml +```yml +# docker-compose.yml version: '3' + services: bitwarden: image: bitwardenrs/server restart: always volumes: - - ./bw-data/:/data/ - - /home/pi/ssl/:/ssl/ + - ./bw-data:/data + - ./ssl:/ssl + ports: + - 443:80 environment: ROCKET_TLS: '{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}' - SIGNUPS_ALLOWED: "true" - SMTP_HOST: "smtp.host.net" - SMTP_FROM: "no-reply@home.example.com" - SMTP_PORT: "587" - SMTP_SSL: "true" - SMTP_USERNAME: "xxx" - SMTP_PASSWORD: "yyy" - LOG_FILE: "/data/bitwarden.log" - ports: - - 192.168.1.20:443:80 #Server's home IP + LOG_FILE: '/data/bitwarden.log' + SIGNUPS_ALLOWED: 'true' ``` Even the server is running at the home network behind the NAT, I wanted to have Let's Encrypt's certificate. I followed this guide https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode. First set domain cname. And with CloudFlare export CF_Key and CF_Email or CF_Token and CF_Account_ID. https://github.com/Neilpang/acme.sh/wiki/dnsapi Then issue a cert. Finally install cert. `acme.sh --install-cert -d home.example.com --key-file /home/pi/ssl/key.pem --fullchain-file /home/pi/ssl/fullchain.pem` Or simply use `acme.sh --issue -d home.example.com --challenge-alias otherdomain.com --dns dns_cf --key-file /home/pi/ssl/key.pem --fullchain-file /home/pi/ssl/fullchain.pem` My domain's A record points to the binded IP on the last line of docker-compose.yml and there are no complaints about certificate. -