mit bitwarden und mailcow

bitwarden/config.yml

@@ -0,0 +1,92 @@
+# 
+# Note: After making changes to this file you need to run the `rebuild` or `update`
+# command for them to be applied.
+# 
+# Full URL for accessing the installation from a browser. (Required)
+url: http://bitwarden.herrmann.es
+# 
+# Auto-generate the `./docker/docker-compose.yml` config file.
+# WARNING: Disabling generated config files can break future updates. You will be
+# responsible for maintaining this config file.
+# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
+generate_compose_config: true
+# 
+# Auto-generate the `./nginx/default.conf` file.
+# WARNING: Disabling generated config files can break future updates. You will be
+# responsible for maintaining this config file.
+# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
+generate_nginx_config: true
+# 
+# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
+# Learn more: https://docs.docker.com/compose/compose-file/#ports
+http_port: 445
+# 
+# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
+# Learn more: https://docs.docker.com/compose/compose-file/#ports
+https_port: 444
+# 
+# Configure Nginx for Captcha.
+captcha: false
+# 
+# Configure Nginx for SSL.
+ssl: false
+# 
+# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
+# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
+ssl_versions: 
+# 
+# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
+# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
+ssl_ciphersuites: 
+# 
+# Installation uses a managed Let's Encrypt certificate.
+ssl_managed_lets_encrypt: false
+# 
+# The actual certificate. (Required if using SSL without managed Let's Encrypt)
+# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
+# `/etc/ssl` within the container.
+ssl_certificate_path: 
+# 
+# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
+# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
+# `/etc/ssl` within the container.
+ssl_key_path: 
+# 
+# If the certificate is trusted by a CA, you should provide the CA's certificate.
+# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
+# `/etc/ssl` within the container.
+ssl_ca_path: 
+# 
+# Diffie Hellman ephemeral parameters
+# Learn more: https://security.stackexchange.com/q/94390/79072
+# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
+# `/etc/ssl` within the container.
+ssl_diffie_hellman_path: 
+# 
+# Nginx Header Content-Security-Policy parameter
+# WARNING: Reconfiguring this parameter may break features. By changing this parameter
+# you become responsible for maintaining this value.
+nginx_header_content_security_policy: 
+# 
+# Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile
+# app live sync.
+push_notifications: true
+# 
+# Use a docker volume (`mssql_data`) instead of a host-mapped volume for the persisted database.
+# WARNING: Changing this value will cause you to lose access to the existing persisted database.
+# Learn more: https://docs.docker.com/storage/volumes/
+database_docker_volume: false
+# 
+# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forward the 
+# client IP address.
+# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
+# 
+# Defined as a dictionary, e.g.:
+# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
+real_ips: 
+# 
+# Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)
+enable_key_connector: false
+# 
+# Enable SCIM
+enable_scim: false

bitwarden/docker-compose.override.yml

@@ -0,0 +1,24 @@
+services:
+  nginx:
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.nginx-redirect-websecure.redirectscheme.scheme=https
+      - traefik.http.routers.nginx-web.rule=Host(`bitwarden.herrmann.es`)
+      - traefik.http.routers.nginx-web.entrypoints=web
+      - traefik.http.routers.nginx-web.middlewares=nginx-redirect-websecure
+      - traefik.http.routers.nginx-websecure.entrypoints=websecure
+      - traefik.http.routers.nginx-websecure.rule=Host(`bitwarden.herrmann.es`)
+      - traefik.tags= traefik-public
+      - traefik.docker.network=traefik-public
+      - traefik.http.routers.nginx-websecure.tls=true
+      - traefik.http.routers.nginx-websecure.tls.certresolver=myresolver
+      - traefik.http.services.bitwarden-nginx.loadbalancer.server.port=8080
+
+    networks:
+      - traefik-public
+
+networks:
+  traefik-public:
+    name: traefik-public
+    external: true
+

bitwarden/global.override.env

@@ -0,0 +1,36 @@
+globalSettings__baseServiceUri__vault=https://bitwarden.herrmann.es
+globalSettings__baseServiceUri__cloudRegion=US
+globalSettings__sqlServer__connectionString="Data Source=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;Password=pRA6ibAm7ODCpZSyvKpDpyvKJFOaa0uv;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True"
+globalSettings__identityServer__certificatePassword=yQeVOvf9JDpflyOrIQMQIe2CJOGtvNvM
+globalSettings__internalIdentityKey=9iPt4ERlWJNVzYQ1K1Jz3CK0UhEne4ru2V3tFLKawWbjrvwDuObE7ZMkJu3UeJUF
+globalSettings__oidcIdentityClientKey=WXcaXid68p1iaa24NBm8W60yQtN0P0wVcY8WOyXOFS7j6SviI2PmKS6vxzbItqQW
+globalSettings__duo__aKey=JwXxgffEh2TD6WBIgXgOJf4CihypMS0kN7Bqyx9nxisVuvwujK1JINyfDPgwMxIc
+globalSettings__installation__id=b644b86f-99bb-4aca-9d35-ac4b00808148
+globalSettings__installation__key=gEyWjSRa8C3mfuWqiV2W
+globalSettings__yubico__clientId=REPLACE
+globalSettings__yubico__key=REPLACE
+globalSettings__mail__replyToEmail=no-reply@bitwarden.herrmann.es
+globalSettings__mail__smtp__host=mail.herrmann.es
+globalSettings__mail__smtp__port=25
+globalSettings__mail__smtp__ssl=false
+globalSettings__mail__smtp__username=
+globalSettings__mail__smtp__password=
+globalSettings__disableUserRegistration=false
+globalSettings__hibpApiKey=REPLACE
+adminSettings__admins=bitwarden@herrmann.es
+globalSettings__baseServiceUri__cloudVaultRegion=US
+globalSettings__baseServiceUri__api=https://bitwarden.herrmann.es/api
+globalSettings__baseServiceUri__identity=https://bitwarden.herrmann.es/identity
+globalSettings__baseServiceUri__admin=https://bitwarden.herrmann.es/admin
+globalSettings__baseServiceUri__notifications=https://bitwarden.herrmann.es/notifications
+globalSettings__baseServiceUri__sso=https://bitwarden.herrmann.es/sso
+globalSettings__baseServiceUri__portal=https://bitwarden.herrmann.es/portal
+globalSettings__attachment__baseDirectory=/etc/bitwarden/core/attachments
+globalSettings__attachment__baseUrl=https://bitwarden.herrmann.es/attachments
+globalSettings__send__baseDirectory=/etc/bitwarden/core/attachments/send
+globalSettings__send__baseUrl=https://bitwarden.herrmann.es/attachments/send
+globalSettings__dataProtection__directory=/etc/bitwarden/core/aspnet-dataprotection
+globalSettings__logDirectory=/etc/bitwarden/logs
+globalSettings__logRollBySizeLimit=
+globalSettings__syslog__destination=
+globalSettings__licenseDirectory=/etc/bitwarden/core/licenses

global/docker-compose.yml

@@ -8,8 +8,10 @@ services:
 #    image: "traefik:v2.2"
     image: "traefik:latest"
     command:
-      - --log.level=DEBUG
+      - "--accesslog=true"
-      - --accesslog=true
+      - "--log.level=DEBUG"
+      - "--providers.docker"
+      - "--log.filePath=/logs/traefik.log"
     container_name: "traefik"
     restart: always
     ports:
@@ -21,6 +23,7 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "${PWD}/traefik.toml:/etc/traefik/traefik.toml"
       - "${PWD}/dynamic.toml:/etc/traefik/dynamic.toml"
+      - "traefik_logs:/logs/"
     networks:
       - internal
       - traefik-public
@@ -121,6 +124,7 @@ volumes:
   letsencrypt:
   portainer_data:
   gitea_data:
+  traefik_logs:
 networks:
 # das Netzwerk traefik-public muss extern true haben, es wird nicht von dem Dockerfile hier erstellt
 # Es haben alle container Zugriff darauf.