Creates a Docker container stack of
The Cloudflare tunnel allows for administration through Cloudflare to add a subdomain, HTTPS, access rules, and more, without the need for port forwarding, a firewall, or self-signed certs.
This is important because Vaultwarden won't let you log in without an encrypted connection (HTTPS), so a docker-compose stack with Cloudflare is one of the easiest methods for obtaining an HTTPS connection to an otherwise non-encrypted system.
This is out of scope of this documentation, however obtaining a cloudflare domain is super simple. Create a cloudflare account and buy a domain here.
Following this README, you can run Vaultwarden on the root of this new domain or on a subdomain of your choice and have it be reachable to the outside world.
The following command will create a folder in your home folder titled VaultWarden
. This will contain the files from this repository and hopefully soon contain Vaultwarden's data.
Note: Make sure to have git
installed first.
git clone https://github.com/christensenjairus/Docker-Compose-Stack-for-Vaultwarden-Cloudflared.git ~/VaultWarden && cd ~/VaultWarden
Access
> Tunnels
. This page should look like this.Create a Tunnel
and name it whatever you like. Vaultwarden
is fine.Save Tunnel
.Install and run a connector
. In the above screenshot, the token starts with eyJhI
. docker-compose.yaml
In the docker-compose file, place the token on the following line.
command: "tunnel --no-autoupdate run --token <token here!>"
Once done, it should look something like this
command: "tunnel --no-autoupdate run --token eyJhIjoiYmNjMGFjZjYxZGM1Mzk2MzkxNjBhZjNhM2I4YTNjMTEiLCJ0IjoiYTg1YjczNWYtNTdjOC00ZGNmLTk2ZDgtMzkxNWEyNGI2OTAyIiwicyI6IllqRmxZV0ppTkRVdFlUazVNeTAwTlRjeExUZzNNekF0WWpZNFpqVm1NV1l5WldNNCJ9"
By default, Vaultwarden will use the vw-data folder created when cloning this repo, as long as you run sudo docker-compose up -d
while in the same folder as the docker-compose.yaml
file.
If you’d like to store this data elsewhere, change the file path to the left of the colon (:) on the following line of docker-compose.yaml
.
- ./vw-data:/data
For example, this could be the following if I wanted it in Jacob’s Documents folder
- /home/jacob/Documents/VaultWarden_Data:/data
cd
into the same folder as the docker-compose.yaml
file and run the following to create and run the docker stack. The -d
flag means ‘run in the background’ and can be omitted for debugging so you can see the vaultwarden and cloudflare logs.
sudo docker-compose up -d
Access
> Tunnels
and view the tunnel status from there. It will either say Healthy
or Down
.Next
or go back to the Tunnel configuration page and click Public Hostname
at the top. Add a public hostname
Type
to be HTTP
and the URL to be vaultwarden:80
Save hostname
.
Your vaultwarden instance should now be accessible from the internet on that URL. Try it!Visit the Cloudflare Dashboard, click on your website, then navigate with the left side panel to SSL/TLS
> Overview
. This page will look like this
Full (strict)
to ensure that the connection is always safely encrypted.Edge Certificates
from the side menu. This page will look like this. Always use HTTPS
to ensure your traffic is never unencrypted.backup.sh
file included in this repositorycd /home/<username>/VaultWarden/
backup.sh
executable so that you or your cronjob can run it.
sudo chmod +x ./backup.sh
./backup.sh
to verify that it is working and that there is a new .tar
file in the Backups
folder.backup.sh
, because you'll need to enter it into the crontab file.sudo crontab -e
0 0 * * * /home/<username>/VaultWarden/backup.sh
backup.sh
file every night at midnight.