valknar/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Vaultwarden password manager stack

Browse Source 
Added self-hosted password manager to The Falcon infrastructure:

**Vault Stack** (vault.pivoine.art):
- Vaultwarden (Bitwarden-compatible server)
- SQLite database for password storage
- WebSocket support for real-time sync
- TOTP and WebAuthn/U2F 2FA support
- Browser extensions and mobile apps compatible

**Configuration:**
- Domain: https://vault.pivoine.art
- Signups: Disabled (invite-only for security)
- Invitations: Enabled
- Password hints: Disabled (security best practice)
- First user becomes admin

**Backup Integration:**
- Added vaultwarden-backup plan to Restic
- Schedule: 8 AM daily (same as letsencrypt)
- Retention: 7 daily, 4 weekly, 12 monthly, 3 yearly
- Backup volume: vault_data mounted read-only

**Infrastructure Updates:**
- Created vault/compose.yaml following stack pattern
- Added VAULT_* environment variables to arty.yml
- Updated compose.yaml to include vault stack
- Added backup_vaultwarden_data volume to restic
- Updated restic/config.json with 12th backup plan

**Documentation:**
- Added Vault to CORE SYSTEMS in README
- Added to ship architecture diagram
- Documented in CLAUDE.md with configuration details
- Updated volume management sections
- Backup count increased from 11 to 12 plans

Critical data backed up with long retention (3 years yearly).
Compatible with official Bitwarden clients on all platforms.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Sebastian Krüger
2025-11-06 11:15:12 +01:00
parent fcfe508698
commit 9b433e66ad
7 changed files with 101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
arty.yml
View File

@@ -94,6 +94,15 @@ envs:
RESTIC_TRAEFIK_HOST: restic.pivoine.art
RESTIC_HOSTNAME: falcon
RESTIC_BACKUP_PATH: /mnt/hidrive/users/valknar/Backup
# Vault
VAULT_TRAEFIK_ENABLED: true
VAULT_COMPOSE_PROJECT_NAME: vault
VAULT_IMAGE: vaultwarden/server:latest
VAULT_TRAEFIK_HOST: vault.pivoine.art
VAULT_WEBSOCKET_ENABLED: true
VAULT_SIGNUPS_ALLOWED: false
VAULT_INVITATIONS_ALLOWED: true
VAULT_SHOW_PASSWORD_HINT: false
# Proxy
PROXY_COMPOSE_PROJECT_NAME: proxy
PROXY_DOCKER_IMAGE: traefik:latest