Need help setting up my vaultwarden with duckdns

Hello,

I tried now 10 hours to get this running.

my docker-compose

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    volumes:
      - ./vw-data:/data
    environment:
      WEBSOCKET_ENABLED: "true"  # Enable WebSocket notifications.
    
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./caddy:/home/x/vaultwarden/caddy
      - ./Caddyfile:/home/x/vaultwarden/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      DOMAIN: "https://x.duckdns.org"  # Your domain.
      LOG_FILE: "/home/x/vaultwarden/vaultwarden1.log"
      EMAIL: "x@gmail.com"
      DUCKDNS_TOKEN: "xxx"

and my Caddyfile

{$DOMAIN}:443{
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
  tls {
	dns duckdns {$DUCKDNS_TOKEN}
	}
  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:80
}

my docker caddy log (seems like it dont use my caddyfile because its not unser /etc/ and I dont know why)

{“level”:“info”,“ts”:1679753140.3411438,“msg”:“using provided configuration”,“config_file”:“/etc/caddy/Caddyfile”,“config_adapter”:“caddyfile”}
{“level”:“info”,“ts”:1679753140.342131,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“localhost:2019”,“enforce_origin”:false,“origins”:[“//localhost:2019”,“//[::1]:2019”,“//127.0.0.1:2019”]}
{“level”:“warn”,“ts”:1679753140.3424788,“logger”:“http”,“msg”:“server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server”,“server_name”:“srv0”,“http_port”:80}
{“level”:“info”,“ts”:1679753140.3425548,“logger”:“tls.cache.maintenance”,“msg”:“started background certificate maintenance”,“cache”:“0xc00043b340”}
{“level”:“info”,“ts”:1679753140.342645,“logger”:“http.log”,“msg”:“server running”,“name”:“srv0”,“protocols”:[“h1”,“h2”,“h3”]}
{“level”:“info”,“ts”:1679753140.3427038,“logger”:“tls”,“msg”:“cleaning storage unit”,“description”:“FileStorage:/data/caddy”}
{“level”:“info”,“ts”:1679753140.3427954,“logger”:“tls”,“msg”:“finished cleaning storage units”}
{“level”:“info”,“ts”:1679753140.3428745,“msg”:“autosaved config (load with --resume flag)”,“file”:“/config/caddy/autosave.json”}


{"level":"info","ts":1679753140.3428905,"msg":"serving initial configuration"}

vaultwarden docker log

[INFO] No .env file found.

[2023-03-25 14:18:33.107][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
[2023-03-25 14:18:33.112][start][INFO] Rocket has launched from http://0.0.0.0:80

I dont know somthing is really off and I dont know why and I’m not good with linux or docker can someone help me please!

Thanks

Hi, Maybe not the answer you want, but I tried and gave up with Caddy and so set it up with nginx/certbot instead.

New setup, certbot creates keys and saves them to the volume, nginx reads them (only) as the reverse proxy, vaultwarden is then certified with duckdns url.

Apologies if these files are not so clear, just taken direct from my setup notes.
I loaded this direct into portainer to create the stack.

docker-compose as below:


version: '3.4'

x-common-variables: &common-variables
   CERT_DOMAIN: <your duckdns url>
   CERT_MAIL: <your email>
   

services:
   certbot_dns_duckdns: 
      image: infinityofspace/certbot_dns_duckdns:latest
      restart: unless-stopped
      command: 'certonly --non-interactive --agree-tos --email <your email> --preferred-challenges dns --authenticator dns-duckdns --dns-duckdns-token <your duckdns token> --dns-duckdns-propagation-seconds 60 -d "<your duckdns url"'
      volumes:
       - certbot_www:/var/www/certbot/:rw
       - certbot_conf:/etc/letsencrypt/:rw

  nginx:
    image: nginx:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
       <<: *common-variables
    volumes:
      - certbot_www:/var/www/certbot/:ro
      - certbot_conf:/etc/letsencrypt/:ro
      - nginx_vw:/root/nginx/

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      DOMAIN: "https://<your duckdns url>"  # Your domain; vaultwarden needs to know it's https to work properly with attachments
    volumes:
      - vw-data:/data

volumes:
  certbot_www:
  certbot_conf:
  nginx_vw:
  vw-data:

nginx.conf below (place in /etc/nginx/):

vaultwarden nginx.conf

# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server vaultwarden:80;
  keepalive 2;
}

# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name <your duckdns prefix>.duckdns.org;

    if ($host = <your duckdns prefix>.duckdns.org) {
        return 301 https://$host$request_uri;
    }
    return 404;
}

server {
    # For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name <your duckdns prefix>.duckdns.org;

    # Specify SSL Config when needed
    ssl_certificate /etc/letsencrypt/live/<your duckdns prefix>.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<your duckdns prefix>.duckdns.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/<your duckdns prefix>.duckdns.org/fullchain.pem;

    client_max_body_size 525M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header Upgrade $http_upgrade;
    #  proxy_set_header Connection $connection_upgrade;
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
}