docker-compose.yml

version: '3.4'

x-logging: &default-logging
  logging:
    driver: "json-file"
    options:
      max-size: "10m"
      max-file: "10"
      compress: "true"


services:
  bitwarden:
    # Standard Bitwarden is very resource-heavy and cannot run on micro cloud instances
    # Vaultwarden is a Rust (mostly) feature-complete implementation of Bitwarden
    # https://github.com/dani-garcia/vaultwarden
    image: vaultwarden/server:latest-alpine
    restart: always
    container_name: bitwarden
    depends_on: 
    - proxy
    <<: *default-logging
    volumes:
    - ${PWD}/bitwarden:/data
    environment:
    - LOG_FILE=/data/bitwarden.log
    - SHOW_PASSWORD_HINT=false
    - DOMAIN=https://${DOMAIN}          # DOMAIN is set in .env but doesn't have protocol prefix
    - IP_HEADER=X-Real-IP
    - ADMIN_TOKEN                       # Value-less variables are set in .env
    - SIGNUPS_ALLOWED
    - SMTP_HOST
    - SMTP_FROM
    - SMTP_FROM_NAME=Bitwarden (${DOMAIN})
    - SMTP_PORT
    - SMTP_SECURITY
    - SMTP_USERNAME
    - SMTP_PASSWORD
    - PUSH_ENABLED
    - PUSH_INSTALLATION_ID
    - PUSH_INSTALLATION_KEY
    - YUBICO_CLIENT_ID
    - YUBICO_SECRET_KEY
    - YUBICO_SERVER
    - ORG_CREATION_USERS
    - TZ


  backup:
    #build: ./docker/backup                                     # backup, in case container registry is not responsive
    image: ghcr.io/dadatuputi/bwgc_backup:master                # from https://github.com/dadatuputi/bwgc_backup
    restart: on-failure
    container_name: backup
    depends_on:
    - bitwarden
    <<: *default-logging
    volumes: 
      - ${PWD}/.env:/.env:ro
      - ${PWD}/bitwarden:/data:ro
      - ${PWD}/bitwarden/rclone:/data/rclone 
      - ${PWD}/bitwarden/backups:/data/backups 
    environment:
    - BACKUP                            # Value-less variables are set in .env
    - BACKUP_SCHEDULE
    - BACKUP_DAYS
    - BACKUP_DIR
    - BACKUP_ENCRYPTION_KEY
    - BACKUP_EMAIL_TO
    - BACKUP_EMAIL_NOTIFY
    - BACKUP_RCLONE_CONF
    - BACKUP_RCLONE_DEST
    - BACKUP_ENV
    - SMTP_HOST
    - SMTP_FROM
    - SMTP_FROM_NAME=Bitwarden Backup (${DOMAIN})
    - SMTP_PORT
    - SMTP_SECURITY
    - SMTP_USERNAME
    - SMTP_PASSWORD
    - TZ


  proxy:
    # Caddy provides an automatic HTTPS reverse proxy with Let's Encrypt cert provisioning
    # Uses local Dockerfile to include tzdata package
    # https://caddyserver.com/
    #build: ./docker/proxy                              # backup, in case container registry is not responsive
    image: ghcr.io/dadatuputi/bwgc_caddy:master         # from https://github.com/dadatuputi/bwgc_proxy
    restart: always
    container_name: proxy
    <<: *default-logging
    volumes:
    - ${PWD}/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
    - ${PWD}/caddy/data:/data
    - caddycerts:/root/.caddy
    ports:
    - 80:80                             # Port 80 is necessary for Let's Encrypt ACME
    - 443:443
    environment:
    - ACME_AGREE=true                   # agree to ACME for auto HTTPS
    - DOMAIN                            # Value-less variables are set in .env
    - EMAIL
    - TZ


  ddns:
    # This provides a ddclient dynamic dns updating cron which is as simple as running it
    # and editing the ddns/config/ddclient.conf file
    # https://github.com/linuxserver/docker-ddclient
    image: linuxserver/ddclient
    restart: always
    container_name: ddns
    <<: *default-logging
    depends_on: 
    - bitwarden
    volumes:
    - ${PWD}/ddns:/config
    environment:
    - PUID
    - PGID
    - TZ


  fail2ban:
    # Implements fail2ban functionality, banning ips that 
    # try to bruteforce your vault
    # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
    # https://github.com/crazy-max/docker-fail2ban
    image: crazymax/fail2ban:latest
    restart: always
    container_name: fail2ban
    <<: *default-logging
    depends_on:
    - bitwarden
    volumes:
    - ${PWD}/fail2ban:/data
    - ${PWD}/bitwarden:/bitwarden:ro
    network_mode: "host"
    privileged: true
    cap_add:
    - NET_ADMIN
    - NET_RAW
    environment:
    - F2B_DB_PURGE_AGE=30d
    - F2B_LOG_LEVEL=INFO
    - F2B_IPTABLES_CHAIN=INPUT
    - SSMTP_HOST=${SMTP_HOST}
    - SSMTP_PORT=${SMTP_PORT}
    - SSMTP_USER=${SMTP_USERNAME}
    - SSMTP_PASSWORD=${SMTP_PASSWORD}
    - SSMTP_HOSTNAME=Bitwarden (${DOMAIN})
    - SSMTP_TLS=${SMTP_TLS}
    - SSMTP_STARTTLS
    - TZ


  countryblock:
    # The block script will block any country (defaults to CN and AU)
    # Requires cap_add as listed and privileged because it uses iptables and ipset
    # https://hub.docker.com/_/alpine/
    #build: ./docker/countryblock                       # backup, in case container registry is not responsive
    image: ghcr.io/dadatuputi/bwgc_countryblock:master  # from https://github.com/dadatuputi/bwgc_countryblock
    restart: always
    container_name: countryblock
    <<: *default-logging
    depends_on: 
    - bitwarden
    network_mode: "host"
    privileged: true
    cap_add:
    - NET_ADMIN
    - NET_RAW
    environment:
    - COUNTRIES
    - COUNTRYBLOCK_SCHEDULE
    - TZ


  watchtower:
    # Watchtower will pull down your new image, gracefully shut down your existing container 
    # and restart it with the same options that were used when it was deployed initially
    # https://github.com/containrrr/watchtower
    image: containrrr/watchtower
    restart: always
    container_name: watchtower
    <<: *default-logging
    depends_on: 
    - bitwarden
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    environment:
    - WATCHTOWER_CLEANUP=true
    - WATCHTOWER_SCHEDULE
    - TZ


volumes:
  caddycerts: