docker-compose.yml

version: "3"

services:
  vaultwarden:
    # Standard Bitwarden is very resource-heavy and cannot run on micro cloud instances
    # Vaultwarden is a Rust (mostly) feature-complete implementation of Bitwarden
    # https://github.com/dani-garcia/vaultwarden
    image: vaultwarden/server:latest-alpine
    restart: always
    container_name: vaultwarden
    depends_on:
      - proxy
    volumes:
      - ${PWD}/vaultwarden:/data
      - ${PWD}/utilities/backup.sh:/backup.sh:ro
    environment:
      - LOG_FILE=/data/vaultwarden.log
      - WEBSOCKET_ENABLED=true # required for websockets
      - SHOW_PASSWORD_HINT=false
      - DOMAIN=https://${DOMAIN} # DOMAIN is set in .env but doesn't have protocol prefix
      - SMTP_FROM_NAME=Vaultwarden (${DOMAIN})
      - IP_HEADER=CF-Connecting-IP
      - ADMIN_TOKEN # Value-less variables are set in .env
      - SIGNUPS_ALLOWED
      - SMTP_HOST
      - SMTP_FROM
      - SMTP_PORT
      - SMTP_SECURITY
      - SMTP_USERNAME
      - SMTP_PASSWORD
      - PUSH_ENABLED
      - PUSH_INSTALLATION_ID
      - PUSH_INSTALLATION_KEY
      - YUBICO_CLIENT_ID
      - YUBICO_SECRET_KEY
      - YUBICO_SERVER
      - ORG_CREATION_USERS
      - BACKUP
      - BACKUP_DAYS
      - BACKUP_DIR
      - BACKUP_EMAIL_FROM_NAME
      - BACKUP_ENCRYPTION_KEY
      - BACKUP_EMAIL_TO
      - BACKUP_EMAIL_NOTIFY
      - BACKUP_RCLONE_CONF
      - BACKUP_RCLONE_DEST
    networks:
      - cloudflared
    command: >
      sh -c 'if [ -n "$BACKUP" ]; 
             then 
               apk --update --no-cache add sqlite
               ln -sf /proc/1/fd/1 /var/log/backup.log &&
               sed -i "/ash \\/backup\\.sh /d" /etc/crontabs/root &&
               echo "$BACKUP_SCHEDULE ash /backup.sh $BACKUP" >> /etc/crontabs/root && 
               crond -d 8; 
             fi &&
             exec /start.sh'

  proxy:
    # HAProxy to wrap all services and provide SSL if needed
    image: haproxy:alpine
    restart: always
    container_name: proxy
    volumes:
      - ${PWD}/haproxy:/usr/local/etc/haproxy:ro
    networks:
      - cloudflared

  cloudflared:
    # Cloudflared is a proxy tunnel that allows you to expose local services to the internet
    image: cloudflare/cloudflared
    container_name: cloudflared
    restart: always
    command: tunnel --no-autoupdate run --token ${CF_TUNNEL_TOKEN}
    depends_on:
      - vaultwarden
    networks:
      - cloudflared

  fail2ban:
    # Implements fail2ban functionality, banning ips that
    # try to bruteforce your vault
    # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
    # https://github.com/crazy-max/docker-fail2ban
    image: crazymax/fail2ban:latest
    restart: always
    container_name: fail2ban
    depends_on:
      - vaultwarden
    volumes:
      - ${PWD}/fail2ban:/data
      - ${PWD}/vaultwarden:/vaultwarden:ro
    environment:
      - F2B_DB_PURGE_AGE=30d
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_LOG_LEVEL=INFO
      - F2B_IPTABLES_CHAIN=INPUT
      - SSMTP_HOST=${SMTP_HOST}
      - SSMTP_PORT=${SMTP_PORT}
      - SSMTP_USER=${SMTP_USERNAME}
      - SSMTP_PASSWORD=${SMTP_PASSWORD}
      - SSMTP_HOSTNAME=Vaultwarden (${DOMAIN})
      - SSMTP_TLS=${SMTP_TLS}
      - SSMTP_FROM=${SMTP_FROM}
      - SSMTP_TO=${SMTP_ADMIN}
      - SSMTP_STARTTLS=YES
      - PUID
      - PGID
      - CF_USER
      - CF_TOKEN
      - TZ
    networks:
      - cloudflared

  watchtower:
    # Watchtower will pull down your new image, gracefully shut down your existing container
    # and restart it with the same options that were used when it was deployed initially
    # https://github.com/containrrr/watchtower
    image: containrrr/watchtower
    restart: always
    container_name: watchtower
    depends_on:
      - vaultwarden
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_SCHEDULE
      - TZ
    networks:
      - cloudflared

networks:
  cloudflared:
    name: cloudflared
    external: true