theo/agence66-vaultwarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Améliorer la sécurité et la configuration Docker

Browse Source 
- Ajouter les capabilities Linux (cap_drop/cap_add) pour limiter les privilèges
- Configurer les limites de ressources (256M RAM, 0.5 CPU)
- Ajouter un healthcheck pour surveiller l'état du service
- Configurer les variables SMTP pour la récupération de mot de passe
- Documenter .env.example avec des exemples et instructions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
BeauTroll
2025-12-22 18:41:15 +01:00
parent 26e7965039
commit 8aecc5005a
2 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.env.example
View File

@@ -1,2 +1,5 @@
DOMAIN= DOMAIN=domain.tld
ADMIN_TOKEN= ADMIN_TOKEN= # Générer avec: openssl rand -base64 48
SMTP_HOST=smtp.domain.tld
SMTP_PORT=587
SMTP_FROM=vaultwarden@domain.tld

27
docker-compose.yml
View File

@@ -3,6 +3,15 @@ services:
image: vaultwarden/server:latest image: vaultwarden/server:latest
container_name: vaultwarden container_name: vaultwarden
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
read_only: false
environment: environment:
- DOMAIN=${DOMAIN} - DOMAIN=${DOMAIN}
- SIGNUPS_ALLOWED=false - SIGNUPS_ALLOWED=false
@@ -20,6 +29,12 @@ services:
# Notifications # Notifications
- SENDS_ALLOWED=true - SENDS_ALLOWED=true
# - EMERGENCY_ACCESS_ALLOWED=true # - EMERGENCY_ACCESS_ALLOWED=true
#
- SMTP_HOST=${SMTP_HOST}
- SMTP_PORT=${SMTP_PORT}
- SMTP_FROM=${SMTP_FROM}
- SMTP_USERNAME=${SMTP_USER}
- SMTP_PASSWORD=${SMTP_PASSWORD}
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
@@ -27,6 +42,18 @@ services:
- "traefik.http.routers.vaultwarden.tls=true" - "traefik.http.routers.vaultwarden.tls=true"
- "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt" - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80" - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
deploy:
resources:
limits:
memory: 256M
cpus: "0.5"
reservations:
memory: 128M
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
interval: 30s
timeout: 3s
retries: 3
volumes: volumes:
- ./data:/data - ./data:/data
networks: networks: