Vaultwarden Docker on Raspberry Pi with Caddy and Fail2ban

1. ### docker-compose.yml ###
2. services:
3. vaultwarden:
4. image: vaultwarden/server:latest
5. container_name: vaultwarden
6. restart: unless-stopped
7. environment:
8. DOMAIN: "https://vaultwarden.example.com" # change to you external facing domain, otherwise you can set it your local host name
9. SIGNUPS_ALLOWED: "true" # deactivate this with "false" after creating all accounts
10. ADMIN_TOKEN: SOME_RANDOM_PASSWORD # You should follow the instructions here to encrypt it. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#using-argon2
11. LOG_FILE: "/data/vaultwarden.log"
12. LOG_LEVEL: "warn"
13. EXTENDED_LOGGING: "true"
14. TZ: "America/Chicago" # Update to your time zone
15. volumes:
16. - /vw-data/:/data/ # update to your data folder, the first one is where it's on your local system
17. # ports:
18. # - 11005:80 # external:internal to docker
19.  
20. caddy:
21. image: caddy:2
22. container_name: caddy
23. restart: always
24. ports:
25. - 80:80
26. - 443:443
27. - 443:443/udp # Needed for HTTP/3
28. volumes:
29. #- ./caddy:/usr/bin/caddy
30. - ./Caddyfile:/etc/caddy/Caddyfile:ro
31. - ./caddy-config:/config
32. - ./caddy-data:/data
33. environment:
34. DOMAIN: "https://vaultwarden.example.com" # change to you external facing domain, otherwise you can set it your local host name
35. EMAIL: "[email protected]"
36. LOG_FILE: "/data/access.log"
37. TZ: "America/Chicago" # Update to your time zone
38.  
39. fail2ban:
40. image: crazymax/fail2ban
41. container_name: fail2ban
42. restart: always
43. environment:
44. - TZ=America/Chicago # Update to your time zone
45. - F2B_DB_PURGE_AGE=30d
46. - F2B_LOG_TARGET=/data/fail2ban.log
47. - F2B_LOG_LEVEL=INFO
48. - F2B_IPTABLES_CHAIN=FORWARD
49. volumes:
50. - /fail2ban/:/data
51. - /vw-data:/vaultwarden:ro # update both of these where you want the data for each of these to be stored on the host system
52. network_mode: "host"
53. privileged: true
54. cap_add:
55. - NET_ADMIN
56. - NET_RAW
57.  
58.  
59. ### Caddyfile ###
60. {$DOMAIN} {
61. log {
62. level INFO
63. output file {$LOG_FILE} {
64. roll_size 10MB
65. roll_keep 10
66. }
67. }
68.  
69. # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
70. tls {$EMAIL}
71.  
72. # This setting may have compatibility issues with some browsers
73. # (e.g., attachment downloading on Firefox). Try disabling this
74. # if you encounter issues.
75. encode zstd gzip
76.  
77. # Uncomment to improve security (WARNING: only use if you understand the implications!)
78. # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
79. header / {
80. # # Enable HTTP Strict Transport Security (HSTS)
81. # Strict-Transport-Security "max-age=31536000;"
82. # # Disable cross-site filter (XSS)
83. # X-XSS-Protection "0"
84. # # Disallow the site to be rendered within a frame (clickjacking protection)
85. # X-Frame-Options "DENY"
86. # Prevent search engines from indexing (optional)
87. X-Robots-Tag "noindex, nofollow"
88. # # Disallow sniffing of X-Content-Type-Options
89. # X-Content-Type-Options "nosniff"
90. # # Server name removing
91. # -Server
92. # # Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
93. # -X-Powered-By
94. # # Remove Last-Modified because etag is the same and is as effective
95. # -Last-Modified
96. }
97.  
98. # Proxy everything Rocket
99. reverse_proxy vaultwarden:80 {
100. # Send the true remote IP to Rocket, so that vaultwarden can put this in the
101. # log, so that fail2ban can ban the correct IP.
102. header_up X-Real-IP {remote_host}
103. }
104. }
105.  
106.  
107. ### /fail2ban/jail.d/vaultwarden.local ###
108. [vaultwarden]
109. enabled = true
110. port = 80,443,8081
111. filter = vaultwarden
112. banaction = %(banaction_allports)s
113. #banaction = iptables
114. logpath = /vaultwarden/vaultwarden.log
115. maxretry = 5
116. bantime = 14400
117. findtime = 14400
118. chain = FORWARD
119. actiontype = multiport
120.  
121. ### /fail2ban/jail.d/vaultwarden-admin.local ###
122. [vaultwarden-admin]
123. enabled = true
124. port = 80,443
125. filter = vaultwarden-admin
126. banaction = %(banaction_allports)s
127. logpath = /vaultwarden/vaultwarden.log
128. maxretry = 3
129. bantime = 14400
130. findtime = 14400
131. chain = FORWARD
132. actiontype = multiport
133.  
134. ### /fail2ban/jail.d/vaultwarden-totp.local ###
135. [vaultwarden-totp]
136. enabled = true
137. port = 80,443
138. filter = vaultwarden-totp
139. banaction = %(banaction_allports)s
140. logpath = /vaultwarden/vaultwarden.log
141. maxretry = 3
142. bantime = 14400
143. findtime = 14400
144. chain = FORWARD
145. actiontype = multiport
146.  
147. ### /fail2ban/action.d/iptables.local ###
148. [Init]
149. blocktype = DROP
150. [Init?family=inet6]
151. blocktype = DROP
152.  
153. [Definition]
154. actionban = <iptables> -I <chain> 1 -s <ip> -j <blocktype>
155. actionunban = <iptables> -D <chain> -s <ip> -j <blocktype>
156.  
157. ### /fail2ban/filter.d/vaultwarden.local ###
158. [INCLUDES]
159. before = common.conf
160.  
161. [Definition]
162. failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
163. ignoreregex =
164.  
165. ### /fail2ban/filter.d/vaultwarden-admin.local ###
166. [INCLUDES]
167. before = common.conf
168.  
169. [Definition]
170. failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
171. ignoreregex =
172.  
173. ### /fail2ban/filter.d/vaultwarden-totp.local ###
174. [INCLUDES]
175. before = common.conf
176.  
177. [Definition]
178. failregex = ^.*\[ERROR\] Invalid TOTP code! Server time: (.*) UTC IP: <ADDR>$
179. ignoreregex =