Skip to content

Instantly share code, notes, and snippets.

@fnord0

fnord0/Caddyfile

Last active December 15, 2021 00:58
Show Gist options
  • Save fnord0/29df92b09d611ffb490e7a91ae60e2ac to your computer and use it in GitHub Desktop.
Save fnord0/29df92b09d611ffb490e7a91ae60e2ac to your computer and use it in GitHub Desktop.
Download ZIP
QNAP NAS working docker-compose.yml for Vaultwarden and Caddy + Websockets and HTTPS via DuckDNS
Raw
README.md 
docker network create --driver=qnet --ipam-driver=qnet --ipam-opt=iface=bond0 --subnet 192.168.0.0/23 --gateway 192.168.1.1 qnet-static
  • Make dynamic links to /share/docker-data/vw-caddy/caddy and /share/docker-data/vw-caddy/data/lego so they exist in your $PATH
ln -s /share/docker-data/vw-caddy/caddy /usr/bin/caddy
ln -s /share/docker-data/vw-caddy/data/lego /usr/bin/lego
  • You can have caddy check the formatting, and even have it write the file for you to ensure Caddyfile has proper formatting
cd /share/docker-data/vw-caddy/config
caddy fmt -overwrite Caddyfile
  • No matter how many times I tried, no matter what I did I could not get Caddy working with automatic HTTPS with a QNAP NAS
  • This is why my instructions say to use Lego yourself to obtain your own SSL Certificate and SSL Key. Once I did this, Caddy, Vaultwarden and DuckDNS worked flawlessly for me
cd /share/docker-data/vw-caddy/data
DUCKDNS_TOKEN=12345678-aaaa-bbbb-cccc-dddddddddddd lego --accept-tos --dns duckdns -d DOMAIN.duckdns.org -m [email protected] run
  • When all files and folders are in the right place, run the following:
docker-compose up -d

-OR-

  • Paste the docker-compose.yml in to QNAP Control Panel > Container Station > Create > Create Application

  • Application Name: vaultwarden

  • YAML: (PASTE the content of docker-compose.yml file here, make sure fill-in the Environment Variables properly)

  • Click Validate YAML button

  • Click Create button

  • Now, wait for a little bit for QNAP's Container Station to get everything operational, you can try doing things via Portainer as well, it is quite useful.

  • When everything is all said and done, you can check the status via Container Station Overview, or run docker ps -a in SSH session

  • It is a good idea to view logs of caddy and vaultwarden containers when troubleshooting

  • You can have caddy validate the Caddyfile, but you would do this later when caddy is actually running. Also you would do this within the caddy Docker container:

docker exec -it caddy /bin/sh
cd /etc/caddy/
caddy validate -config /etc/caddy/Caddyfile
Raw
caddy.env
DOMAIN=DOMAIN-vw.duckdns.org
DUCKDNS_TOKEN=12345678-aaaa-bbbb-cccc-dddddddddddd
EMAIL=[email protected]
SSL_CERT_PATH=/etc/ssl/DOMAIN.duckdns.org.crt
SSL_KEY_PATH=/etc/ssl/DOMAIN.duckdns.org.key
Raw
Caddyfile
{$DOMAIN}:443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}
#tls {
# dns duckdns {$DUCKDNS_TOKEN}
#}
# Gzip compression, Zstandard compression
encode zstd gzip
header {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevents search engines form indexing (optional)
X-Robots-Tag "none"
# Server name removing
-Server
}
@insecureadmin {
# 192.168.0.0 - 192.168.63.255
not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
path /admin*
}
redir @insecureadmin /
reverse_proxy /notifications/hub/negotiate vaultwarden:80
reverse_proxy /notifications/hub vaultwarden:3012
reverse_proxy vaultwarden:80 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP
header_up X-Real-IP {remote_host}
}
}
Raw
docker-compose.yml
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- DOMAIN=https://DOMAIN.duckdns.org
- WEBSOCKET_ENABLED=true # Enable WebSocket notifications.
- SMTP_HOST=smtp.gmail.com
#- [email protected]
- [email protected]
- SMTP_FROM_NAME=Vaultwarden
- SMTP_PORT=587
- SMTP_SSL=true
- [email protected]
- SMTP_PASSWORD=PASSWORD
- SMTP_TIMEOUT=15
#Yubico API key signup at https://upgrade.yubico.com/getapikey/
#YubiKey for YubiCloud Configuration Guide at https://support.yubico.com/hc/en-us/articles/360016614800-YubiKey-for-YubiCloud-Configuration-Guide
#- YUBICO_CLIENT_ID=#####
#- YUBICO_SECRET_KEY=abcdefghijklmnopqrstuvwxyz0=
- LOG_FILE=/data/bitwarden.log
- EXTENDED_LOGGING=true
- ADMIN_TOKEN=abcdefghijklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz0 # REQUIRED for admin interface panel, use "openssl rand -base64 48"
- PASSWORD_ITERATIONS=100100 # PBKDF2 password iterations to apply on the server when the password is changed
volumes:
- /share/docker-data/vw/data:/data
networks:
qnet-static:
# ipv4_address must be different from caddy ipv4_address
ipv4_address: 192.168.##.##
caddy:
image: caddy:latest
container_name: caddy
restart: always
depends_on:
- vaultwarden
#ports:
# - 80:80 # Needed for the ACME HTTP-01 challenge.
# - 443:443
volumes:
- /share/docker-data/vw-caddy/caddy:/usr/bin/caddy # Your custom build of Caddy, obtain at https://caddyserver.com/download?package=github.com%2Fcaddy-dns%2Flego-deprecated&package=github.com%2Fcaddy-dns%2Fduckdns
- /share/docker-data/vw-caddy/data/lego:/usr/bin/lego # lego github release file amd64, obtain at https://github.com/go-acme/lego/releases
- /share/docker-data/vw-caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro # see Caddyfile
- /share/docker-data/vw-caddy/config:/config
- /share/docker-data/vw-caddy/data:/data
- /share/docker-data/vw-caddy/data/sites:/var/www/html
- /share/docker-data/vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.crt:/etc/ssl/DOMAIN.duckdns.org.crt # obtain by running DUCKDNS_TOKEN=12345678-aaaa-bbbb-cccc-dddddddddddd ./lego --accept-tos --dns duckdns -d DOMAIN.duckdns.org -m [email protected] run
- /share/docker-data/vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.key:/etc/ssl/DOMAIN.duckdns.org.key # same as above
- /share/docker-data/vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.json:/etc/ssl/DOMAIN.duckdns.org.json # same as above
- /share/docker-data/vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.issuer.crt:/etc/ssl/DOMAIN.duckdns.org.issuer.crt # same as above
#- Certfiles:/root/.caddy
environment:
- DOMAIN=DOMAIN.duckdns.org # Your domain.
- DUCKDNS_TOKEN=12345678-aaaa-bbbb-cccc-dddddddddddd # Your Duck DNS token.
- [email protected] # The email address to use for ACME registration.
- LOG_FILE=/data/access.log
- SSL_CERT_PATH=/etc/ssl/DOMAIN.duckdns.org.crt
- SSL_KEY_PATH=/etc/ssl/DOMAIN.duckdns.org.key
networks:
qnet-static:
# ipv4_address must be different from vaultwarden ipv4_address
ipv4_address: 192.168.##.##
networks:
qnet-static:
external: true
Raw
folder-structure.txt
# This is an output of the folders and files structure on QNAP NAS
# All files and folders for me are owned by admin:administrators
[/share/docker-data] # find -L vw* -print
vw # Folder
vw/data # Folder
vw-caddy # Folder
vw-caddy/config # Folder
vw-caddy/config/caddy.env
vw-caddy/config/Caddyfile
vw-caddy/docker-compose.yml
vw-caddy/caddy # caddy binary, your custom build of Caddy, obtain at https://caddyserver.com/download?package=github.com%2Fcaddy-dns%2Flego-deprecated&package=github.com%2Fcaddy-dns%2Fduckdns
vw-caddy/data # Folder
vw-caddy/data/.lego
vw-caddy/data/.lego/certificates # Folder
vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.crt
vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.key
vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.json
vw-caddy/data/.lego/certificates/DOMAIN.duckdns.org.issuer.crt
vw-caddy/data/.lego/accounts # Folder
vw-caddy/data/.lego/accounts/acme-v02.api.letsencrypt.org # Folder
vw-caddy/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]
vw-caddy/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys
vw-caddy/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
vw-caddy/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/account.json
vw-caddy/data/sites # Folder
vw-caddy/data/sites/index.html
vw-caddy/data/lego_v4.5.3_linux_amd64.tar.gz # lego github release linux_amd64.tar.gz file, obtain at https://github.com/go-acme/lego/releases
vw-caddy/data/lego # lego binary, run "DUCKDNS_TOKEN=12345678-aaaa-bbbb-cccc-dddddddddddd lego --accept-tos --dns duckdns -d DOMAIN.duckdns.org -m [email protected] run"
Raw
index.html
<html><head><title>Endless deadend</title><style>body{background-color:#222;color:#FFF;font-size:50px;font-family:arial,verdana,sans-serif}.endless{position:relative;text-align:center;width:200px;height:auto;left:50%;top:2em;transform:translateX(-50%)}</style></head><body><div class="endless"><center>Endless deadend</center></div></body></html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment