diff --git a/.config.sample.env b/.config.sample.env index 030fd17..11e8181 100644 --- a/.config.sample.env +++ b/.config.sample.env @@ -81,8 +81,3 @@ DOMAIN=https://vw.example.com # Check https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#disable-password-hint-display # SHOW_PASSWORD_HINT=false - -# Check https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications -# You don't need to do any additional configuration, as the template -# already uses Caddy to configure the websocket proxy -WEBSOCKET_ENABLED=true diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 4af37c9..16e5412 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -29,12 +29,6 @@ "matchStrings": [ "datasource=(?.*?) depName=(?.*?)\\sARG .*?_VERSION=(?v.*)\\s" ] - }, - { - "fileMatch": ["^\\.github\\/workflows\\/fly-deploy\\.yaml$"], - "matchStrings": [ - "datasource=(?.*?) depName=(?.*?)\\sversion:\\s(?.*)\\s" - ] } ] } diff --git a/.taskfiles/fly/app.yaml b/.taskfiles/fly/app.yaml index 7803e9d..ef36ef9 100644 --- a/.taskfiles/fly/app.yaml +++ b/.taskfiles/fly/app.yaml @@ -16,7 +16,8 @@ tasks: - fly apps destroy {{.FLY_APP}} deploy: cmds: + - task: :secrets:set - fly deploy -a {{.FLY_APP}} ssh: cmds: - - fly ssh console -a {{.FLY_APP}} \ No newline at end of file + - fly ssh console -a {{.FLY_APP}} diff --git a/.taskfiles/fly/tasks.yaml b/.taskfiles/fly/tasks.yaml index 0e60399..18d287a 100644 --- a/.taskfiles/fly/tasks.yaml +++ b/.taskfiles/fly/tasks.yaml @@ -4,4 +4,4 @@ version: "3" includes: app: app.yaml volume: volume.yaml - secrets: secrets.yaml \ No newline at end of file + secrets: secrets.yaml diff --git a/Dockerfile b/Dockerfile index 94d161d..e191bbe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG OVERMIND_VERSION=v2.4.0 ARG SUPERCRONIC=supercronic-linux-amd64 ARG OVERMIND=overmind-${OVERMIND_VERSION}-linux-amd64 -FROM vaultwarden/server:1.30.1-alpine as vaultwarden +FROM vaultwarden/server:1.30.5-alpine as vaultwarden # # Supercronic @@ -95,4 +95,4 @@ COPY config/Caddyfile /etc/caddy/Caddyfile COPY scripts/restic-backup.sh . COPY scripts/setup-msmtp.sh . -CMD ["overmind", "start"] \ No newline at end of file +CMD ["overmind", "start"] diff --git a/README.md b/README.md index 630f2dc..312190e 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,8 @@ # Template for deploying [Vaultwarden] on [Fly.io] This is a template for deploying [Vaultwarden] on [Fly.io] with -[Caddy](https://caddyserver.com) for [websockets] support and -[supercronic](https://github.com/aptible/supercronic) for hourly -[restic](https://restic.net) backups with e-mail failure notification +[Caddy](https://caddyserver.com) and [supercronic](https://github.com/aptible/supercronic) +for hourly [restic](https://restic.net) backups with e-mail failure notification via [msmtp](https://marlam.de/msmtp/). This uses a single fly machine, within Fly's [free allowance](https://fly.io/docs/about/pricing/#free-allowances). @@ -19,19 +18,19 @@ Then, clone your new repo and `cd` into it. 1. Install [go-task](https://github.com/go-task/task): - We use go-task to automate some steps, you can check the task - code under [.taskfiles](.taskfiles). to see which commands each - task run. + We use go-task to automate some steps, you can check the task + code under [.taskfiles](.taskfiles). to see which commands each + task run. - ```sh - brew install go-task/tap/go-task - ``` + ```sh + brew install go-task/tap/go-task + ``` 1. Install [flyctl](https://fly.io/docs/hands-on/install-flyctl/): - ```sh - brew install flyctl - ``` + ```sh + brew install flyctl + ``` ### Configuration @@ -39,7 +38,7 @@ The `.config.env` file contains environment variables needed to deploy the apps in this template. 1. Copy the `.config.sample.env` to `.config.env` and fill out all -the environment variables. **All uncommented variables are required**. + the environment variables. **All uncommented variables are required**. ### [Fly.io] setup @@ -50,45 +49,45 @@ name hidden. 1. Signup to Fly - If you already have a Fly account, use `flyctl auth login` instead. + If you already have a Fly account, use `flyctl auth login` instead. - ```sh - flyctl auth signup - ``` + ```sh + flyctl auth signup + ``` 1. Create a new fly app - If this is your first app, you'll be asked to add credit card - information, but, don't worry, you'll not be charged by this app. + If this is your first app, you'll be asked to add credit card + information, but, don't worry, you'll not be charged by this app. - ```sh - task fly:app:create - ``` + ```sh + task fly:app:create + ``` 1. Create a new volume - This will show you a warning about invididual volumes. - It's ok to have a single volume because we're not - concerned about downtime for our Vaultwarden instance. + This will show you a warning about invididual volumes. + It's ok to have a single volume because we're not + concerned about downtime for our Vaultwarden instance. - ```sh - task fly:volume:create - ``` + ```sh + task fly:volume:create + ``` 1. Deploy your app - ```sh - task fly:app:deploy - ``` + ```sh + task fly:app:deploy + ``` 1. Setup your custom domain - After your app is deployed, follow the steps [here](https://fly.io/docs/app-guides/custom-domains-with-fly/) to setup your custom domain. + After your app is deployed, follow the steps [here](https://fly.io/docs/app-guides/custom-domains-with-fly/) to setup your custom domain. 1. Open your new Vaultwarden website - That's all! Now you can open your custom domain and Vaultwarden should - work. + That's all! Now you can open your custom domain and Vaultwarden should + work. ## Keeping dependencies up to date @@ -132,61 +131,76 @@ You can scroll your tmux window with `Ctrl-B-]` and use Substitute `vaultwarden` with `caddy`, or `backup` to see logs for other apps. -## Automatically deploy to Fly.io +## Continuous deployment -After your first manual deploy to Fly.io, per instructions above, you can automatically deploy via Github Actions. +After your first manual deploy to Fly.io, per instructions above, you can setup continuous deployment via Github Actions. 1. Install [Github CLI](https://cli.github.com) - ```sh - brew install gh - ``` + ```sh + brew install gh + ``` 1. Login to Github - ```sh - gh auth login - ``` + ```sh + gh auth login + ``` 1. Set Fly secrets to your Github repo - ```sh - task github:secrets:set - ``` + ```sh + task github:secrets:set + ``` 1. Test your workflow deployment - ```sh - task github:workflow:deploy - ``` + ```sh + task github:workflow:deploy + ``` That's all! Now, any changes to your `Dockerfile`, `fly.toml` or -`scripts`/`config` will trigger an automatic fly deploy. +`scripts`/`config` will trigger a fly deploy. ## FAQ 1. Why every `fly` command I run errors with: `Error: the config for your app is missing an app name`? - For security reasons the app name is not sdaved in the [fly.toml] file. - In that case, you have to add `-a your-app-name` to all `fly` commands. + For security reasons the app name is not sdaved in the [fly.toml] file. + In that case, you have to add `-a your-app-name` to all `fly` commands. - Your app name is found in your `.config.env` file. + Your app name is found in your `.config.env` file. - Example: + Example: - ```sh - fly secrets list -a your-app-name - ``` + ```sh + fly secrets list -a your-app-name + ``` - Or you can add: + Or you can add: - ```yaml - app = "your-app-name" - ``` + ```yaml + app = "your-app-name" + ``` - to the beginning of your [fly.toml] file. + to the beginning of your [fly.toml] file. + +2. How do I update the environment variables? + + After updating the `.config.env` file, you can update your environment variables in two different ways: + + ```sh + task fly:secrets:set + ``` + + will read your `.config.env` file and import every defined variable to your fly app, Or you can just do a new deployment: + + ```sh + task fly:app:deploy + ``` + + which will run the command above and do a new deployment afterwards. [Vaultwarden]: https://github.com/dani-garcia/vaultwarden [Fly.io]: https://fly.io -[websockets]: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications -[fly.toml]: fly.toml \ No newline at end of file +[fly.toml]: fly.toml diff --git a/config/Caddyfile b/config/Caddyfile index 3c16e7a..dc4327c 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -32,12 +32,6 @@ -Last-Modified } - # The negotiation endpoint is also proxied to Rocket - reverse_proxy /notifications/hub/negotiate localhost:8080 - - # Notifications redirected to the websockets server - reverse_proxy /notifications/hub localhost:3012 - # Proxy everything else to Rocket reverse_proxy localhost:8080 { # Send the true remote IP to Rocket, so that vaultwarden can put this in the log diff --git a/fly.toml b/fly.toml index a2f9865..150b388 100644 --- a/fly.toml +++ b/fly.toml @@ -8,4 +8,14 @@ kill_timeout = 5 [http_service] internal_port = 80 force_https = true - min_machines_running = 1 \ No newline at end of file + min_machines_running = 1 + +[checks] + [checks.alive] + grace_period = "30s" + interval = "15s" + method = "get" + path = "/alive" + port = 80 + timeout = "10s" + type = "http"