# VaultWarden with Tailscale Integration ![VaultWarden with Tailscale](https://www.vaultwarden.net/assets/images/logo-dark.png "VaultWarden") This project sets up a VaultWarden instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your VaultWarden instance using Tailscale. ## Prerequisites - Docker and Docker Compose installed on your system - A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys) - HTTPS Certificates enabled in the DNS tab of Tailscale admin page - Basic understanding of Docker and networking concepts ## Project Structure ``` ts-vaultwarden/ ├── docker-compose.yml ├── tailscale/ │ ├── tailscale-data/ # Persistent Tailscale state │ └── config/ # Tailscale configuration files └── vaultwarden/ └── data/ # VaultWarden data ``` ## Setup Instructions 1. **Clone the Repository** ```bash git clone https://gitea.damconsulting.llc/DAM/ts-vaultwarden cd ts-vaultwarden ``` 2. Create Required Directories ```bash mkdir -p tailscale/tailscale-data vaultwarden/data ``` 3. Configure Tailscale - Replace `{{YOUR_TAILSCALE_AUTHKEY}}` in the docker-compose.yml with your actual Tailscale auth key - Optionally, update the file in `tailscale/config/serve.json` if you need specific Tailscale serve configurations - CAUTION: Changing `"${TS_CERT_DOMAIN}:443": false` to `true` will expose the service to the internet 4. Configure VaultWarden - Replace `{{YOUR_DOMAIN}}` in the `docker-compose.yml` - Configuring the Admin page (WebUI) - For a basic configuration update the following `ADMIN_TOKEN: "an-incredibly-complex-password-is-required"` in the `docker-compose.yml` and change the password. This password permits access to your admin page - For enterprise grade security follow these [directions](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token). - **OPTIONAL** Vaultwarden's configuration is primarily managed through environment variables or a [.env file](https://github.com/dani-garcia/vaultwarden/blob/main/.env.template) for configuration options - [Helpful Tutorial](https://www.techaddressed.com/tutorials/vaultwarden-docker-compose/#cost-features) 5. Start the Services ```bash docker compose up -d ``` 6. Wait for Certificate to propagate [~2m] 7. Login - After starting the services your service should be available via tailnet at https://vaultwarden.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://vaultwarden.tail12345.ts.net/ ## Services ### vaultwarden-ts (Tailscale) - Runs Tailscale VPN client - Image: tailscale/tailscale:latest - Container name: vaultwarden-ts - Hostname: vaultwarden - Requires NET_ADMIN and SYS_MODULE capabilities - Persists state in ./tailscale/tailscale-data - Uses configuration from ./tailscale/config ### vaultwarden - Depends on vaultwarden-ts service ## Usage - After starting the services your service should be available via tailnet at `https://vaultwarden.{{YOUR_TAILNET_DOMAIN}}.ts.net` ie `https://vaultwarden.tail12345.ts.net/` - To manually get the Tailscale IP/hostname of your container: ```bash docker logs vaultwarden-ts ``` Look for the Tailscale IP address in the logs. ## Optional Features - Add the port mapping if you need direct access (without Tailscale): ```yaml ports: - 80:80 ``` - Stopping the Services ```bash docker compose down ``` ## Troubleshooting - Check container logs: ```bash docker logs vaultwarden-ts docker logs vaultwarden ``` - Ensure your Tailscale auth key is valid and not expired - Verify the configuration files have proper permissions - Make sure required directories exist before starting ## Notes - The VaultWarden service uses the Tailscale service's network stack via `network_mode: service:vaultwarden-ts` - Direct port mapping is disabled by default as Tailscale handles the networking - Services restart automatically unless explicitly stopped - For more information: - Tailscale documentation: https://tailscale.com/kb/ - VaultWarden documentation: https://github.com/dani-garcia/vaultwarden/wiki - VaultWarden repository: https://github.com/dani-garcia/vaultwarden