yuna0x0 · September 4, 2023 00:20
diff --git a/.env.example b/.env.example
 TIMEZONE=Asia/Taipei
 VAULTWARDEN_ADMIN_TOKEN=
 VAULTWARDEN_LOCALHOST_PORT=6699
 CADDY_HOSTNAME=example.com:7777
 SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
diff --git a/Caddyfile b/Caddyfile

 # Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
 # (admin_redir) {
 #        @admin {
 #                path /admin*
 #                not remote_ip private_ranges
 #        }
 #        redir @admin /
 # }

 {
  auto_https disable_redirects
 }

 {$HOSTNAME} {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
  # tls {$EMAIL}

  # Or uncomment this if you're providing your own cert. You would also use this option
  # if you're running behind Cloudflare.
  tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode zstd gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
  header {
    # Enable HTTP Strict Transport Security (HSTS)
    # Strict-Transport-Security "max-age=31536000;"
    # Enable cross-site filter (XSS) and tell browser to block detected attacks
    X-XSS-Protection "1; mode=block"
    # Disallow the site to be rendered within a frame (clickjacking protection)
    X-Frame-Options "SAMEORIGIN"
    # Prevent search engines from indexing (optional)
    X-Robots-Tag "none"
    # Server name removing
    -Server
  }

 # Uncomment to allow access to the admin interface only from local networks
 # import admin_redir

  # Proxy everything to Rocket
  # if located at a sub-path the reverse_proxy line will look like:
  #   reverse_proxy /subpath/* <SERVER>:80
  reverse_proxy :{$VAULTWARDEN_LOCALHOST_PORT} {
    # Send the true remote IP to Rocket, so that Vaultwarden can put this in the
    # log, so that fail2ban can ban the correct IP.
    header_up X-Real-IP {remote_host}
  }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
 # Vaultwarden (Caddy) Docker Compose for Synology NAS
 version: "3"
 services:
  vaultwarden:
    restart: always
    image: "vaultwarden/server:latest"
    container_name: vaultwarden
    environment:
      # Timezone settings, important for Fail2ban to work
      - TZ=${TIMEZONE}
      # Logging connection attemps
      - LOG_FILE=/data/vaultwarden.log
      - ROCKET_ADDRESS=127.0.0.1
      - ROCKET_PORT=${VAULTWARDEN_LOCALHOST_PORT}
      # Beef up a bit
      - ROCKET_WORKERS=20
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
      # - SMTP_HOST=smtp.domain.tld
      # - SMTP_PORT=587
      # - [email protected]
      # - SMTP_FROM_NAME=Vaultwarden
      # - SMTP_USERNAME=username
      # - SMTP_PASSWORD=password
    network_mode: 'host'
    volumes:
      - /volume1/vaultwarden/vw-data:/data

  caddy:
    restart: always
    image: "caddy:latest"
    container_name: vaultwarden_caddy
    environment:
      - TZ=${TIMEZONE}
      - LOG_FILE=/data/logs/caddy.log
      # Update this if SSL required according to the use of your own cert or requuest one via ACME
      - SSL_CERT_PATH=/syno-cert/fullchain.pem
      - SSL_KEY_PATH=/syno-cert/privkey.pem
      - HOSTNAME=${CADDY_HOSTNAME}
      # - [email protected]
      - VAULTWARDEN_LOCALHOST_PORT=${VAULTWARDEN_LOCALHOST_PORT}
    network_mode: 'host'
    volumes:
      - /volume1/vaultwarden/caddy-data/Caddyfile:/etc/caddy/Caddyfile
      - /volume1/vaultwarden/caddy-data/data:/data
      - /volume1/vaultwarden/caddy-data/config:/config
      - ${SYNO_CERT_PATH}:/syno-cert
diff --git a/run.sh b/run.sh
 #!/bin/bash

 action="$1"

 case "$action" in
    "up")
        # Start the process
        echo "Starting Vaultwarden..."
        SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
        docker-compose -f docker-compose.yml up -d
        ;;
    "up-term")
        # Start the process
        echo "Starting Vaultwarden..."
        SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
        docker-compose -f docker-compose.yml up
        ;;
    "update")
        # Perform an update
        echo "Stopping and Updating Vaultwarden..."
        docker-compose -f docker-compose.yml down
        docker-compose -f docker-compose.yml pull
        ;;
    "down")
        # Stop the process
        echo "Stopping Vaultwarden..."
        docker-compose -f docker-compose.yml down
        ;;
    *)
        # Fallback for no input or other input
        echo "Invalid input. Usage: ./run.sh [up|up-term|update|down]"
        ;;
 esac
	TIMEZONE=Asia/Taipei
	VAULTWARDEN_ADMIN_TOKEN=
	VAULTWARDEN_LOCALHOST_PORT=6699
	CADDY_HOSTNAME=example.com:7777
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)

	# Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
	# (admin_redir) {
	# @admin {
	# path /admin*
	# not remote_ip private_ranges
	# }
	# redir @admin /
	# }

	{
	auto_https disable_redirects
	}

	{$HOSTNAME} {
	log {
	level INFO
	output file {$LOG_FILE} {
	roll_size 10MB
	roll_keep 10
	}
	}

	# Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
	# tls {$EMAIL}

	# Or uncomment this if you're providing your own cert. You would also use this option
	# if you're running behind Cloudflare.
	tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

	# This setting may have compatibility issues with some browsers
	# (e.g., attachment downloading on Firefox). Try disabling this
	# if you encounter issues.
	encode zstd gzip

	# Uncomment to improve security (WARNING: only use if you understand the implications!)
	# If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
	header {
	# Enable HTTP Strict Transport Security (HSTS)
	# Strict-Transport-Security "max-age=31536000;"
	# Enable cross-site filter (XSS) and tell browser to block detected attacks
	X-XSS-Protection "1; mode=block"
	# Disallow the site to be rendered within a frame (clickjacking protection)
	X-Frame-Options "SAMEORIGIN"
	# Prevent search engines from indexing (optional)
	X-Robots-Tag "none"
	# Server name removing
	-Server
	}

	# Uncomment to allow access to the admin interface only from local networks
	# import admin_redir

	# Proxy everything to Rocket
	# if located at a sub-path the reverse_proxy line will look like:
	# reverse_proxy /subpath/* <SERVER>:80
	reverse_proxy :{$VAULTWARDEN_LOCALHOST_PORT} {
	# Send the true remote IP to Rocket, so that Vaultwarden can put this in the
	# log, so that fail2ban can ban the correct IP.
	header_up X-Real-IP {remote_host}
	}
	}
	# Vaultwarden (Caddy) Docker Compose for Synology NAS
	version: "3"
	services:
	vaultwarden:
	restart: always
	image: "vaultwarden/server:latest"
	container_name: vaultwarden
	environment:
	# Timezone settings, important for Fail2ban to work
	- TZ=${TIMEZONE}
	# Logging connection attemps
	- LOG_FILE=/data/vaultwarden.log
	- ROCKET_ADDRESS=127.0.0.1
	- ROCKET_PORT=${VAULTWARDEN_LOCALHOST_PORT}
	# Beef up a bit
	- ROCKET_WORKERS=20
	- ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
	# - SMTP_HOST=smtp.domain.tld
	# - SMTP_PORT=587
	# - [email protected]
	# - SMTP_FROM_NAME=Vaultwarden
	# - SMTP_USERNAME=username
	# - SMTP_PASSWORD=password
	network_mode: 'host'
	volumes:
	- /volume1/vaultwarden/vw-data:/data

	caddy:
	restart: always
	image: "caddy:latest"
	container_name: vaultwarden_caddy
	environment:
	- TZ=${TIMEZONE}
	- LOG_FILE=/data/logs/caddy.log
	# Update this if SSL required according to the use of your own cert or requuest one via ACME
	- SSL_CERT_PATH=/syno-cert/fullchain.pem
	- SSL_KEY_PATH=/syno-cert/privkey.pem
	- HOSTNAME=${CADDY_HOSTNAME}
	# - [email protected]
	- VAULTWARDEN_LOCALHOST_PORT=${VAULTWARDEN_LOCALHOST_PORT}
	network_mode: 'host'
	volumes:
	- /volume1/vaultwarden/caddy-data/Caddyfile:/etc/caddy/Caddyfile
	- /volume1/vaultwarden/caddy-data/data:/data
	- /volume1/vaultwarden/caddy-data/config:/config
	- ${SYNO_CERT_PATH}:/syno-cert
	#!/bin/bash

	action="$1"

	case "$action" in
	"up")
	# Start the process
	echo "Starting Vaultwarden..."
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
	docker-compose -f docker-compose.yml up -d
	;;
	"up-term")
	# Start the process
	echo "Starting Vaultwarden..."
	SYNO_CERT_PATH=/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT) \
	docker-compose -f docker-compose.yml up
	;;
	"update")
	# Perform an update
	echo "Stopping and Updating Vaultwarden..."
	docker-compose -f docker-compose.yml down
	docker-compose -f docker-compose.yml pull
	;;
	"down")
	# Stop the process
	echo "Stopping Vaultwarden..."
	docker-compose -f docker-compose.yml down
	;;
	*)
	# Fallback for no input or other input
	echo "Invalid input. Usage: ./run.sh [up\|up-term\|update\|down]"
	;;
	esac