boris/keywarden
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Added logging, self-signed certs and KEYWARDEN_DOMAIN env variable

Browse Source
This commit is contained in:
George Wilkinson
2026-01-19 19:47:31 +00:00
parent 43fe875cde
commit 47b90fee87
6 changed files with 94 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.env.example
View File

@@ -2,7 +2,8 @@
KEYWARDEN_SECRET_KEY=supersecret KEYWARDEN_SECRET_KEY=supersecret
KEYWARDEN_DEBUG=True KEYWARDEN_DEBUG=True
KEYWARDEN_ALLOWED_HOSTS=* KEYWARDEN_ALLOWED_HOSTS=*
KEYWARDEN_TRUSTED_ORIGINS=https://localhost,https://127.0.0.1 KEYWARDEN_TRUSTED_ORIGINS=https://reverse.proxy.domain.xyz,https://127.0.0.1
KEYWARDEN_DOMAIN=https://example.domain.xyz
# Database # Database
KEYWARDEN_POSTGRES_DB=keywarden KEYWARDEN_POSTGRES_DB=keywarden

6
Dockerfile
View File

@@ -13,12 +13,16 @@ WORKDIR /app
# System deps for psycopg2, node (for Tailwind), etc. # System deps for psycopg2, node (for Tailwind), etc.
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \ build-essential \
ca-certificates \
libpq-dev \ libpq-dev \
curl \ curl \
openssl \
nginx \ nginx \
nodejs \ nodejs \
npm \ npm \
supervisor \ supervisor \
mkcert \
libnss3-tools \
valkey-server \ valkey-server \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
@@ -45,7 +49,7 @@ RUN pip install --upgrade pip \
WORKDIR /app WORKDIR /app
COPY ./app . COPY ./app .
COPY nginx/configs/nginx.conf /etc/nginx/nginx.conf COPY nginx/configs/nginx.conf.template /etc/nginx/nginx.conf.template
COPY nginx/configs/options-* /etc/nginx/ COPY nginx/configs/options-* /etc/nginx/
#COPY nginx/configs/sites/ /etc/nginx/conf.d/ #COPY nginx/configs/sites/ /etc/nginx/conf.d/
COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf

26
app/entrypoint.sh
View File

@@ -1,6 +1,31 @@
#!/bin/sh #!/bin/sh
set -eu set -eu
DOMAIN="${KEYWARDEN_DOMAIN:-localhost}"
CERT_DIR="/etc/nginx/certs"
NGINX_TEMPLATE="/etc/nginx/nginx.conf.template"
NGINX_CONF="/etc/nginx/nginx.conf"
# Replaces server_name in nginx.conf with $KEYWARDEN_DOMAIN
if [ -f "$NGINX_TEMPLATE" ]; then
ESCAPED_DOMAIN=$(printf '%s' "$DOMAIN" | sed 's/[&/]/\\&/g')
sed "s/__SERVER_NAME__/${ESCAPED_DOMAIN}/g" "$NGINX_TEMPLATE" > "$NGINX_CONF"
fi
# Creates self-signed certs using mkcert $KEYWARDEN_DOMAIN, and renaming them.
if [ ! -f "$CERT_DIR/certificate.pem" ] || [ ! -f "$CERT_DIR/key.pem" ]; then
mkdir -p "$CERT_DIR"
if command -v mkcert >/dev/null 2>&1; then
mkcert -install >/dev/null 2>&1 || true
mkcert -cert-file "$CERT_DIR/certificate.pem" -key-file "$CERT_DIR/key.pem" "$DOMAIN"
else
openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
-subj "/CN=$DOMAIN" \
-keyout "$CERT_DIR/key.pem" \
-out "$CERT_DIR/certificate.pem"
fi
fi
# Build Tailwind CSS (best-effort; skip if not configured) # Build Tailwind CSS (best-effort; skip if not configured)
python manage.py tailwind install || true python manage.py tailwind install || true
python manage.py tailwind build || true python manage.py tailwind build || true
@@ -12,4 +37,3 @@ python manage.py migrate --noinput
python manage.py ensure_admin python manage.py ensure_admin
exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf

4
docker-compose.yml
View File

@@ -20,8 +20,8 @@ services:
container_name: keywarden container_name: keywarden
volumes: volumes:
- ./app:/app - ./app:/app
- ./nginx/certs:/certs:ro - ./nginx/certs:/etc/nginx/certs
- ./nginx/logs:/etc/nginx/logs - ./nginx/logs:/var/log/nginx
ports: ports:
- "443:443" - "443:443"
depends_on: depends_on:

30
nginx/configs/.sites/default.conf
View File

@@ -1,30 +0,0 @@
# Default NGINX Config
server {
listen 8008;
listen [::]:8008;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
ssl_certificate /certs/certificate.pem;
ssl_certificate_key /certs/key.pem;
include /certs/options-ssl-nginx.conf;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

60
nginx/configs/nginx.conf.template Normal file
View File

@@ -0,0 +1,60 @@
# This file should be put under /etc/nginx/conf.d/
# Or place as /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
real_ip_header X-Forwarded-For;
include /etc/nginx/mime.types;
include options-ssl.conf;
include options-http-headers.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
listen [::]:80;
server_name __SERVER_NAME__;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name __SERVER_NAME__;
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log main;
ssl_certificate /etc/nginx/certs/certificate.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
include options-ssl.conf;
include options-https-headers.conf;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
include options-https-headers.conf;
}
}
access_log /var/log/nginx/access.log main;
types_hash_bucket_size 128;
}