Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
79657d526c5ba0ba7c42dbb99cf3d4a937f451f5
homelab-infra/security/vaultwarden/docker-compose.yml
T
Micha 23a6975a67 Restrict Vaultwarden /admin to trusted networks (Tailscale + LAN) 
Audit 2026-06-23 (P1): /admin was publicly reachable (200). Add a higher-priority Traefik router scoped to PathPrefix(/admin) with an ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24); the main router stays native for browser and mobile clients. Documented in docs/DECISIONS.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:03:26 +02:00

70 lines
2.6 KiB
YAML
Raw Blame History

services:
vaultwarden:
image: vaultwarden/server:1.36.0@sha256:d626d04934cd1192ad8ced1adb975099fca78cec33ab467d2d3c923cde7f3b0c
container_name: vaultwarden
restart: unless-stopped
environment:
TZ: Europe/Berlin
DOMAIN: https://vault.kaleschke.info
WEBSOCKET_ENABLED: "true"
SIGNUPS_ALLOWED: "false"
INVITATIONS_ALLOWED: "false"
ADMIN_TOKEN_FILE: /run/secrets/admin_token
SMTP_HOST: smtp.gmx.net
SMTP_PORT: "587"
SMTP_SECURITY: starttls
SMTP_USERNAME: michideheld@gmx.de
SMTP_PASSWORD_FILE: /run/secrets/smtp_password
SMTP_FROM: michideheld@gmx.de
SMTP_FROM_NAME: KalliLab Vaultwarden
ROCKET_PORT: 80
ROCKET_ADDRESS: 0.0.0.0
volumes:
- /mnt/user/appdata/vaultwarden:/data
- /mnt/user/appdata/secrets/vaultwarden_admin_token.txt:/run/secrets/admin_token:ro
- /mnt/user/appdata/secrets/homelab_smtp_password.txt:/run/secrets/smtp_password:ro
dns:
- 192.168.178.58
- 1.1.1.1
- 8.8.8.8
networks:
- frontend_net
security_opt:
- no-new-privileges:true
healthcheck:
# vaultwarden image ships curl, not wget
test: ["CMD-SHELL", "curl -fsS http://localhost:80/alive || exit 1"]
interval: 30s
timeout: 5s
retries: 5
start_period: 30s
labels:
- traefik.enable=true
- traefik.docker.network=frontend_net
- traefik.http.routers.vaultwarden.rule=Host(`vault.kaleschke.info`)
- traefik.http.routers.vaultwarden.entrypoints=websecure
- traefik.http.routers.vaultwarden.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=le
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
# Audit 2026-06-23 (P1): /admin war public mit 200 erreichbar. Zweiter, hoeher
# priorisierter Router scoped auf /admin und laesst nur Tailnet + LAN durch (sonst 403).
# Hauptrouter oben bleibt nativ, damit Browser-/Mobile-Clients von ueberall funktionieren.
- traefik.http.routers.vaultwarden-admin.rule=Host(`vault.kaleschke.info`) && PathPrefix(`/admin`)
- traefik.http.routers.vaultwarden-admin.entrypoints=websecure
- traefik.http.routers.vaultwarden-admin.tls=true
- traefik.http.routers.vaultwarden-admin.tls.certresolver=le
- traefik.http.routers.vaultwarden-admin.service=vaultwarden
- traefik.http.routers.vaultwarden-admin.priority=100
- traefik.http.routers.vaultwarden-admin.middlewares=vaultwarden-admin-allowlist@docker
- traefik.http.middlewares.vaultwarden-admin-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
networks:
frontend_net:
external: true
Reference in New Issue View Git Blame Copy Permalink