100 lines
2.4 KiB
YAML
100 lines
2.4 KiB
YAML
---
|
|
|
|
# Name of this instance (job and service name)
|
|
instance: vaultwarden
|
|
|
|
vaultwarden:
|
|
|
|
# Server settings
|
|
server:
|
|
|
|
# Version to deploy
|
|
version: 1.30.5
|
|
|
|
# Docker image to use
|
|
image: vaultwarden/server:[[ .vaultwarden.server.version ]]-alpine
|
|
|
|
# Number of instances to run
|
|
count: 1
|
|
|
|
|
|
# List of features to enable when building image
|
|
# (not used for now)
|
|
features:
|
|
- postgresql
|
|
|
|
# List of vault policies to attach to the task
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
# A list of random secrets to generate if not present in vault kv store
|
|
rand_secrets:
|
|
fields:
|
|
- admin_token
|
|
|
|
# Postgres settings
|
|
postgres:
|
|
pooler:
|
|
mode: session
|
|
|
|
# Resources allocation
|
|
resources:
|
|
cpu: 300
|
|
memory: 128
|
|
|
|
# Consul settings
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
- destination_name: '[[ .mail.smtp_service_name ]]'
|
|
local_bind_port: 25
|
|
- destination_name: postgres[[ .consul.suffix ]]
|
|
local_bind_port: 5432
|
|
wait_for:
|
|
- service: master.postgres[[ .consul.suffix ]]
|
|
|
|
# Environment variables to set in the container
|
|
env:
|
|
ORG_EVENTS_ENABLED: 'true'
|
|
EVENTS_DAYS_RETAIN: 720
|
|
SIGNUPS_VERIFY: 'true'
|
|
SMTP_HOST: localhost
|
|
SMTP_PORT: 25
|
|
SMTP_FROM: vaultwarden-no-reply@[[ .consul.domain ]]
|
|
SMTP_SECURITY: off
|
|
TRASH_AUTO_DELETE_DAYS: 7
|
|
INCOMPLETE_2FA_TIME_LIMIT: 5
|
|
USER_ATTACHMENT_LIMIT: 204800
|
|
|
|
# Public URL of the service
|
|
public_url: https://vaultwarden.example.org/
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
# Makes sure
|
|
priority: 100
|
|
csp:
|
|
default-src: "'self'"
|
|
img-src: "'self' data: https://www.gravatar.com"
|
|
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
|
|
style-src: "'self' 'unsafe-inline'"
|
|
font-src: "'self' data:"
|
|
connect-src: "'self' https://api.pwnedpasswords.com https://api.2fa.directory"
|
|
|
|
# Settings for the /admin interface
|
|
# Note that this interface is disabled unless ADMIN_TOKEN env var is set
|
|
admin:
|
|
public_url: '[[ .vaultwarden.server.public_url ]]/admin'
|
|
# If enabled, we can set specific Traefik middlewares
|
|
traefik:
|
|
strip_prefix: false
|
|
router: admin
|
|
priority: 200
|
|
|
|
# Volumes for data persistance
|
|
volumes:
|
|
data:
|
|
type: csi
|
|
source: vaultwarden-data
|
|
access_mode: multi-node-multi-writer
|