diff --git a/README.md b/README.md index a3aeb8a..479e5e9 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ Each stack is independently deployable with its own `compose.yml` and `.env`. Al | `n8n` | Workflow automation & notification relay | n8n, db | | `gitea` | Git hosting + CI runner | gitea, runner, db | | `coolify` | Deployment platform | coolify, realtime, redis, db | -| `vaultwarden` | Password manager | vaultwarden | +| `vaultwarden` | Password manager (legacy) | vaultwarden | +| `passbolt` | Password manager (GPG-encrypted, team sharing) | passbolt, db | ## Tools diff --git a/_backup/backup.sh b/_backup/backup.sh index 54c5df0..977fcba 100755 --- a/_backup/backup.sh +++ b/_backup/backup.sh @@ -38,6 +38,7 @@ declare -A DATABASES=( [n8n_db]="n8n:n8n" [immich_db]="immich:immich" [coolify_db]="coolify:coolify" + [passbolt_db]="passbolt:passbolt" ) dump_errors=() diff --git a/passbolt/.env.example b/passbolt/.env.example new file mode 100644 index 0000000..8998801 --- /dev/null +++ b/passbolt/.env.example @@ -0,0 +1,3 @@ +TRAEFIK_HOST=passbolt.example.com +NETWORK_NAME=falcon_network +DB_PASSWORD=change_me diff --git a/passbolt/compose.yml b/passbolt/compose.yml new file mode 100644 index 0000000..bcc3b1c --- /dev/null +++ b/passbolt/compose.yml @@ -0,0 +1,62 @@ +services: + passbolt: + image: passbolt/passbolt:latest-ce + container_name: passbolt + environment: + APP_FULL_BASE_URL: https://${TRAEFIK_HOST} + PASSBOLT_SSL_FORCE: "false" + PASSBOLT_REGISTRATION_PUBLIC: "false" + DATASOURCES_DEFAULT_HOST: db + DATASOURCES_DEFAULT_PORT: "5432" + DATASOURCES_DEFAULT_DATABASE: passbolt + DATASOURCES_DEFAULT_USERNAME: passbolt + DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD} + DATASOURCES_DEFAULT_DRIVER: Cake\Database\Driver\Postgres + EMAIL_TRANSPORT_DEFAULT_HOST: mailpit + EMAIL_TRANSPORT_DEFAULT_PORT: "1025" + EMAIL_TRANSPORT_DEFAULT_TLS: "false" + EMAIL_DEFAULT_FROM: passbolt@pivoine.art + EMAIL_DEFAULT_FROM_NAME: Passbolt + volumes: + - ../.data/passbolt/gpg:/etc/passbolt/gpg + - ../.data/passbolt/jwt:/etc/passbolt/jwt + depends_on: + db: + condition: service_healthy + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.middlewares.passbolt-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.passbolt-web.middlewares=passbolt-redirect-web-secure" + - "traefik.http.routers.passbolt-web.rule=Host(`${TRAEFIK_HOST}`)" + - "traefik.http.routers.passbolt-web.entrypoints=web" + - "traefik.http.routers.passbolt-web-secure.rule=Host(`${TRAEFIK_HOST}`)" + - "traefik.http.routers.passbolt-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.passbolt-web-secure.entrypoints=web-secure" + - "traefik.http.routers.passbolt-web-secure.middlewares=security-headers@file,no-index@file" + - "traefik.http.services.passbolt-web-secure.loadbalancer.server.port=80" + - "traefik.docker.network=${NETWORK_NAME}" + networks: + - compose_network + db: + image: postgres:16-alpine + container_name: passbolt_db + environment: + POSTGRES_DB: passbolt + POSTGRES_USER: passbolt + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_INITDB_ARGS: --data-checksums + volumes: + - ../.data/passbolt/db:/var/lib/postgresql/data + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"] + interval: 5s + timeout: 5s + retries: 5 + networks: + - compose_network +networks: + compose_network: + name: ${NETWORK_NAME} + external: true