NomadBackup/nomad_backup/20251115_142246/vaultwarden.json

{
  "Format": "hcl2",
  "JobID": "vaultwarden",
  "JobModifyIndex": 13570343,
  "Namespace": "default",
  "Source": "job \"vaultwarden\" {\n  datacenters = [\"dc1\"]\n  type        = \"service\"\n\n  constraint {\n    attribute = \"${attr.kernel.name}\"\n    value     = \"linux\"\n  }\n  constraint {\n    attribute = \"${attr.cpu.arch}\"\n    operator  = \"regexp\"\n    value     = \"arm64\"\n  }\n\n  group \"vaultwarden\" {\n    count = 1\n    task \"vaultwarden\" {\n      driver = \"docker\"\n      config {\n        # image             = \"vaultwarden/server:latest\"\n        image             = \"vaultwarden/server:1.32.7\"\n        memory_hard_limit = 2048\n\n        ports = [\"http\"]\n\n        volumes = [\n          \"/mnt/configs/${NOMAD_GROUP_NAME}/data:/data\",\n        ]\n      }\n      env {\n        // vaultwarden_SCAN_INTERVAL = \"120\"\n        // vaultwarden_MUSIC_PATH = \"/music\"\n        // vaultwarden_PODCAST_PATH = \"/podcasts\"\n        ADMIN_TOKEN   = \"VReYRX0RuSw3mxmGFG4+2ECY71l/wYmuD52NOWDur6e43z/inbUmJGUr5KU4wtjW\"\n        ENABLE_DB_WAL = \"false\"\n        DATABASE_URL= \"postgresql://postgres:postgres@master.postgres.service.dc1.consul:5432/vaultwarden\"\n      }\n      resources {\n        cpu    = 100 # 100 MHz\n        memory = 128 # 128 MB\n      }\n      service {\n        name = \"vaultwarden\"\n        tags = [\n          \"vaultwarden\",\n          \"web\",\n          \"urlprefix-/vaultwarden\",\n          \"backend\",\n          \"traefik.http.routers.vaultwardenlan.rule=Host(`vaultwarden.service.dc1.consul`)\",\n          \"traefik.http.routers.vaultwardenwan.rule=Host(`vault.fbleagh.duckdns.org`)\",\n          \"traefik.http.routers.vaultwardenwan-admin.rule=(Host(`vault.fbleagh.duckdns.org`) && PathPrefix(`/admin/`))\",\n          \"traefik.http.routers.vaultwardenwan.tls=true\",\n          // \"traefik.http.routers.vaultwardenwan.tls.certresolver=myresolver-int\",\n          \"traefik.http.middlewares.vaultwardenwan-admin-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.4.0/22\",\n          \"traefik.http.routers.nginx-admin.middlewares=vaultwardenwan-admin-ipwhitelist\",\n          \"enable_gocast\",\n          \"gocast_vip=192.168.1.246/32\",\n          \"gocast_nat=tcp:8081:8081\",\n          \"gocast_nat=udp:8081:8081\"\n        ]\n        //  \"traefik.http.middlewares.vaultwarden_auth.basicauth.users=admin:$2y$05$cJGONoS0BFTeBUXqmETikeI14QhLDKIDkYuPdA1umIOC129grVMAm\",\n// https://github.com/dani-garcia/vaultwarden/issues/676\n// labels:\n//   - traefik.enable=true\n//   - traefik.docker.network=traefik\n//     # Define middleware of 'redirect-https', set scheme and set permanent redirect as true\n//   - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https\n//   - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true\n//     # Define service of 'bitwarden' for UI port when using entrypoint websecure (port 443)\n//   - traefik.http.services.bitwarden.loadbalancer.server.port=80\n//   - traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.domain.tld`)\n//   - traefik.http.routers.bitwarden-https.entrypoints=websecure\n//   - traefik.http.routers.bitwarden-https.service=bitwarden\n//     # Define service of 'bitwarden' for UI port when using entrypoint web (port 80)\n//   - traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.domain.tld`)\n//   - traefik.http.routers.bitwarden-http.entrypoints=web\n//   - traefik.http.routers.bitwarden-http.middlewares=redirect-https\n//   - traefik.http.routers.bitwarden-http.service=bitwarden\n//     # Define service of 'bitwarden-websocket' for socket port when using entrypoint websecure (port 443)\n//   - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012\n//   - traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.domain.tld`) && Path(`/notifications/hub`)\n//   - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure\n//   - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket\n//     # Define service of 'bitwarden-websocket' for socket port when using entrypoint web (port 80)\n//   - traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.domain.tld`) && Path(`/notifications/hub`)\n//   - traefik.http.routers.bitwarden-websocket-http.entrypoints=web\n//   - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https\n//   - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket\n\n\n\n        port = \"http\"\n        meta {\n          ALLOC = \"${NOMAD_ALLOC_ID}\"\n        }\n        check {\n          type     = \"tcp\"\n          interval = \"10s\"\n          timeout  = \"2s\"\n        }\n      }\n    } #end vaultwarden\n\n    task \"init\" {\n      driver = \"docker\"\n\n      lifecycle {\n        hook    = \"prestart\"\n        sidecar = false\n      }\n\n      config {\n        image             = \"ghcr.io/sstent/rsync\"\n        memory_hard_limit = 2048\n\n        volumes = [\n          \"/mnt/configs/${NOMAD_GROUP_NAME}/data:/config\",\n          \"/mnt/Public/config/${NOMAD_GROUP_NAME}:/configbackup\",\n          \"/mnt/Public/config/locks:/locks\",\n        ]\n\n        args = [\"flock\", \"-x\", \"/locks/${NOMAD_GROUP_NAME}_rsync.lock\", \"rsync\", \"-avz\", \"--exclude='logs'\", \"--exclude='/run/*.sock'\", \"/configbackup/\", \"/config/\", \"--delete-before\"]\n      }\n      resources {\n        cpu    = 20 # 500 MHz\n        memory = 20 # 128MB\n      }\n    } #end init task\n\n    task \"finalsync\" {\n      driver = \"docker\"\n\n      lifecycle {\n        hook = \"poststop\"\n      }\n\n      config {\n        // image = \"pebalk/rsync\"\n        image             = \"ghcr.io/sstent/rsync\"\n        memory_hard_limit = 2048\n\n        volumes = [\n          \"/mnt/configs/${NOMAD_GROUP_NAME}/data:/config\",\n          \"/mnt/Public/config/${NOMAD_GROUP_NAME}:/configbackup\",\n          \"/mnt/Public/config/locks:/locks\",\n        ]\n\n        args = [\"flock\", \"-x\", \"/locks/${NOMAD_GROUP_NAME}_rsync.lock\", \"rsync\", \"-av\", \"--exclude='logs'\", \"--exclude='/run/*.sock'\", \"/config/\", \"/configbackup/\", \"--remove-source-files\"]\n      }\n      resources {\n        cpu    = 20 # 500 MHz\n        memory = 20 # 128MB\n      }\n    } #end finalsync task\n    task \"sync\" {\n      driver = \"docker\"\n      lifecycle {\n        hook    = \"poststart\"\n        sidecar = true\n      }\n      config {\n        memory_hard_limit = \"2048\"\n\n        image = \"ghcr.io/sstent/rsync\"\n        volumes = [\n          \"/mnt/configs/${NOMAD_GROUP_NAME}/data:/config\",\n          \"/mnt/Public/config/${NOMAD_GROUP_NAME}:/configbackup\",\n        ]\n        args = [\"client\"]\n      }\n      env {\n        CRON_TASK_1 = \"50 * * * * rsync -av --exclude='*.db' --exclude='*.db' --exclude='.*.db-litestream' --exclude='generations' /config/ /configbackup/;\"\n      }\n      resources {\n        cpu    = 20 # 500 MHz\n        memory = 20 # 128MB\n      }\n    }\n\n\n    network {\n      // mbits = 100\n\n      port \"http\" {\n        static = 8081\n        to     = 80\n      }\n    }\n\n  }\n}\n\n\n// Restore\n// There is no automated restore process to prevent accidential data loss. So if you need to restore a backup you need to do this manually by following the steps below (assuming your backups are located at ./backup/ and your vaultwarden data ist located at /var/lib/docker/volumes/vaultwarden/_data/)\n\n// # Delete any existing sqlite3 files\n// rm /var/lib/docker/volumes/vaultwarden/_data/db.sqlite3*\n\n// # Copy the database to the vaultwarden folder\n// cp ./backup/db.sqlite3 /var/lib/docker/volumes/vaultwarden/_data/db.sqlite3\n\n// # Extract the additional folder from the archive\n// tar -xzvf ./backup/data.tar.gz -C /var/lib/docker/volumes/vaultwarden/_data/\n\n\n\n// ENV\tDescription\n// BACKUP_ADD_DATABASE 1\tSet to true to include the database itself in the backup\n// BACKUP_ADD_ATTACHMENTS 1\tSet to true to include the attachments folder in the backup\n// BACKUP_ADD_CONFIG_JSON 1\tSet to true to include config.json in the backup\n// BACKUP_ADD_ICON_CACHE 1\tSet to true to include the icon cache folder in the backup\n// BACKUP_ADD_RSA_KEY 1\tSet to true to include the RSA keys in the backup\n// BACKUP_ADD_SENDS 1\tSet to true to include the sends folder in the backup\n// BACKUP_DIR\tSeths the path of the backup folder inside the container\n// BACKUP_DIR_PERMISSIONS\tSets the permissions of the backup folder (CAUTION 2). Set to -1 to disable.\n// CRONFILE\tPath to the cron file inside the container\n// CRON_TIME\tCronjob format \"Minute Hour Day_of_month Month_of_year Day_of_week Year\"\n// DELETE_AFTER\tDelete old backups after X many days. Set to 0 to disable\n// TIMESTAMP\tSet to true to append timestamp to the backup file\n// GID\tGroup ID to run the cron job with\n// HEALTHCHECK_URL\tSet a healthcheck url like https://hc-ping.com/xyz\n// LOG_LEVEL\tDEBUG, INFO, WARNING, ERROR, CRITICAL are supported\n// LOG_DIR\tPath to the logfile folder inside the container\n// LOG_DIR_PERMISSIONS\tSets the permissions of the backup folder. Set to -1 to disable.\n// TZ\tSet the timezone inside the container 3\n// UID\tUser ID to run the cron job with\n// VW_DATA_FOLDER 4\tSet the location of the vaultwarden data folder inside the container\n// VW_DATABASE_URL 4\tSet the location of the vaultwarden database file inside the container\n// VW_ATTACHMENTS_FOLDER 4\tSet the location of the vaultwarden attachments folder inside the container\n// VW_ICON_CACHE_FOLDER 4\tSet the location of the vaultwarden icon cache folder inside the container",
  "VariableFlags": null,
  "Variables": "",
  "Version": 5
}