Skip to content

Commit

Permalink
Merge remote-tracking branch 'template/main'
Browse files Browse the repository at this point in the history
* template/main: (45 commits)
  fix(container): update image vaultwarden/server to v1.30.5 (#31)
  feat(websockets): websockets are now enabled by default
  chore(deps): update docker/login-action digest to e92390c
  chore(deps): update docker/build-push-action digest to 2cdde99
  chore(deps): update docker/build-push-action digest to af5a7ed
  chore(deps): update docker/metadata-action digest to 8e5442c
  chore(deps): update docker/metadata-action digest to dbef880
  chore(deps): update docker/metadata-action digest to 9dc751f
  fix(github-release): update aptible/supercronic to v0.2.29 (#30)
  fix(container): update image vaultwarden/server to v1.30.1 (#26)
  fix(container): update image caddy to v2.7.6 (#28)
  feat(container): update image alpine to v3.19 (#29)
  chore(deps): update docker/metadata-action digest to 31cebac
  fix(github-release): update aptible/supercronic to v0.2.28 (#27)
  chore(deps): update docker/metadata-action digest to e6428a5
  chore(deps): update docker/build-push-action digest to 4a13e50
  feat(container): update image vaultwarden/server to v1.30.0 (#25)
  fix(github-release): update aptible/supercronic to v0.2.27 (#23)
  fix(container): update image caddy to v2.7.5 (#22)
  Add health check to fly.toml (#24)
  ...
  • Loading branch information
arthurgeek committed Mar 18, 2024
2 parents f03fd27 + 443df1f commit ee43ca8
Show file tree
Hide file tree
Showing 8 changed files with 93 additions and 85 deletions.
5 changes: 0 additions & 5 deletions .config.sample.env
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,3 @@ DOMAIN=https://vw.example.com

# Check https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#disable-password-hint-display
# SHOW_PASSWORD_HINT=false

# Check https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# You don't need to do any additional configuration, as the template
# already uses Caddy to configure the websocket proxy
WEBSOCKET_ENABLED=true
6 changes: 0 additions & 6 deletions .github/renovate.json5
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,6 @@
"matchStrings": [
"datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\sARG .*?_VERSION=(?<currentValue>v.*)\\s"
]
},
{
"fileMatch": ["^\\.github\\/workflows\\/fly-deploy\\.yaml$"],
"matchStrings": [
"datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\sversion:\\s(?<currentValue>.*)\\s"
]
}
]
}
3 changes: 2 additions & 1 deletion .taskfiles/fly/app.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ tasks:
- fly apps destroy {{.FLY_APP}}
deploy:
cmds:
- task: :secrets:set
- fly deploy -a {{.FLY_APP}}
ssh:
cmds:
- fly ssh console -a {{.FLY_APP}}
- fly ssh console -a {{.FLY_APP}}
2 changes: 1 addition & 1 deletion .taskfiles/fly/tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ version: "3"
includes:
app: app.yaml
volume: volume.yaml
secrets: secrets.yaml
secrets: secrets.yaml
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ARG OVERMIND_VERSION=v2.4.0
ARG SUPERCRONIC=supercronic-linux-amd64
ARG OVERMIND=overmind-${OVERMIND_VERSION}-linux-amd64

FROM vaultwarden/server:1.30.1-alpine as vaultwarden
FROM vaultwarden/server:1.30.5-alpine as vaultwarden

#
# Supercronic
Expand Down Expand Up @@ -95,4 +95,4 @@ COPY config/Caddyfile /etc/caddy/Caddyfile
COPY scripts/restic-backup.sh .
COPY scripts/setup-msmtp.sh .

CMD ["overmind", "start"]
CMD ["overmind", "start"]
140 changes: 77 additions & 63 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
# Template for deploying [Vaultwarden] on [Fly.io]

This is a template for deploying [Vaultwarden] on [Fly.io] with
[Caddy](https://caddyserver.com) for [websockets] support and
[supercronic](https://github.com/aptible/supercronic) for hourly
[restic](https://restic.net) backups with e-mail failure notification
[Caddy](https://caddyserver.com) and [supercronic](https://github.com/aptible/supercronic)
for hourly [restic](https://restic.net) backups with e-mail failure notification
via [msmtp](https://marlam.de/msmtp/).

This uses a single fly machine, within Fly's [free allowance](https://fly.io/docs/about/pricing/#free-allowances).
Expand All @@ -19,27 +18,27 @@ Then, clone your new repo and `cd` into it.

1. Install [go-task](https://github.com/go-task/task):

We use go-task to automate some steps, you can check the task
code under [.taskfiles](.taskfiles). to see which commands each
task run.
We use go-task to automate some steps, you can check the task
code under [.taskfiles](.taskfiles). to see which commands each
task run.

```sh
brew install go-task/tap/go-task
```
```sh
brew install go-task/tap/go-task
```

1. Install [flyctl](https://fly.io/docs/hands-on/install-flyctl/):

```sh
brew install flyctl
```
```sh
brew install flyctl
```

### Configuration

The `.config.env` file contains environment variables needed to deploy
the apps in this template.

1. Copy the `.config.sample.env` to `.config.env` and fill out all
the environment variables. **All uncommented variables are required**.
the environment variables. **All uncommented variables are required**.

### [Fly.io] setup

Expand All @@ -50,45 +49,45 @@ name hidden.

1. Signup to Fly

If you already have a Fly account, use `flyctl auth login` instead.
If you already have a Fly account, use `flyctl auth login` instead.

```sh
flyctl auth signup
```
```sh
flyctl auth signup
```

1. Create a new fly app

If this is your first app, you'll be asked to add credit card
information, but, don't worry, you'll not be charged by this app.
If this is your first app, you'll be asked to add credit card
information, but, don't worry, you'll not be charged by this app.

```sh
task fly:app:create
```
```sh
task fly:app:create
```

1. Create a new volume

This will show you a warning about invididual volumes.
It's ok to have a single volume because we're not
concerned about downtime for our Vaultwarden instance.
This will show you a warning about invididual volumes.
It's ok to have a single volume because we're not
concerned about downtime for our Vaultwarden instance.

```sh
task fly:volume:create
```
```sh
task fly:volume:create
```

1. Deploy your app

```sh
task fly:app:deploy
```
```sh
task fly:app:deploy
```

1. Setup your custom domain

After your app is deployed, follow the steps [here](https://fly.io/docs/app-guides/custom-domains-with-fly/) to setup your custom domain.
After your app is deployed, follow the steps [here](https://fly.io/docs/app-guides/custom-domains-with-fly/) to setup your custom domain.

1. Open your new Vaultwarden website

That's all! Now you can open your custom domain and Vaultwarden should
work.
That's all! Now you can open your custom domain and Vaultwarden should
work.

## Keeping dependencies up to date

Expand Down Expand Up @@ -132,61 +131,76 @@ You can scroll your tmux window with `Ctrl-B-]` and use
Substitute `vaultwarden` with `caddy`, or `backup` to see logs for
other apps.

## Automatically deploy to Fly.io
## Continuous deployment

After your first manual deploy to Fly.io, per instructions above, you can automatically deploy via Github Actions.
After your first manual deploy to Fly.io, per instructions above, you can setup continuous deployment via Github Actions.

1. Install [Github CLI](https://cli.github.com)

```sh
brew install gh
```
```sh
brew install gh
```

1. Login to Github

```sh
gh auth login
```
```sh
gh auth login
```

1. Set Fly secrets to your Github repo

```sh
task github:secrets:set
```
```sh
task github:secrets:set
```

1. Test your workflow deployment

```sh
task github:workflow:deploy
```
```sh
task github:workflow:deploy
```

That's all! Now, any changes to your `Dockerfile`, `fly.toml` or
`scripts`/`config` will trigger an automatic fly deploy.
`scripts`/`config` will trigger a fly deploy.

## FAQ

1. Why every `fly` command I run errors with: `Error: the config for your app is missing an app name`?

For security reasons the app name is not sdaved in the [fly.toml] file.
In that case, you have to add `-a your-app-name` to all `fly` commands.
For security reasons the app name is not sdaved in the [fly.toml] file.
In that case, you have to add `-a your-app-name` to all `fly` commands.

Your app name is found in your `.config.env` file.
Your app name is found in your `.config.env` file.

Example:
Example:

```sh
fly secrets list -a your-app-name
```
```sh
fly secrets list -a your-app-name
```

Or you can add:
Or you can add:

```yaml
app = "your-app-name"
```
```yaml
app = "your-app-name"
```

to the beginning of your [fly.toml] file.
to the beginning of your [fly.toml] file.

2. How do I update the environment variables?

After updating the `.config.env` file, you can update your environment variables in two different ways:

```sh
task fly:secrets:set
```

will read your `.config.env` file and import every defined variable to your fly app, Or you can just do a new deployment:

```sh
task fly:app:deploy
```

which will run the command above and do a new deployment afterwards.

[Vaultwarden]: https://github.com/dani-garcia/vaultwarden
[Fly.io]: https://fly.io
[websockets]: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
[fly.toml]: fly.toml
[fly.toml]: fly.toml
6 changes: 0 additions & 6 deletions config/Caddyfile
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,6 @@
-Last-Modified
}

# The negotiation endpoint is also proxied to Rocket
reverse_proxy /notifications/hub/negotiate localhost:8080

# Notifications redirected to the websockets server
reverse_proxy /notifications/hub localhost:3012

# Proxy everything else to Rocket
reverse_proxy localhost:8080 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the log
Expand Down
12 changes: 11 additions & 1 deletion fly.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,14 @@ kill_timeout = 5
[http_service]
internal_port = 80
force_https = true
min_machines_running = 1
min_machines_running = 1

[checks]
[checks.alive]
grace_period = "30s"
interval = "15s"
method = "get"
path = "/alive"
port = 80
timeout = "10s"
type = "http"

0 comments on commit ee43ca8

Please sign in to comment.