vaultproxy/docker-compose.example.yml at main · aaronckj/vaultproxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# vaultproxy — example Docker Compose deployment
#
# FIRST RUN:
#   1. Uncomment the `command:` line below
#   2. Run: docker compose up
#   3. The wizard will prompt for your Vaultwarden URL, email, and master password
#   4. Once setup completes, comment out `command:` again and restart
#
# The encrypted keystore is stored in ./config/ — back it up.
#
# NETWORK MODE:
#   network_mode: host is required so that vault-proxy binds to 127.0.0.1:3201
#   on the *host*, making it reachable by MCP clients running on the host (e.g.
#   Claude Desktop, Cursor).  Without host networking, the container has its own
#   network namespace and 127.0.0.1 inside the container is NOT the host's
#   loopback — MCP clients on the host cannot connect.
#
#   If host networking is unavailable (Docker Desktop, Podman rootless, Swarm):
#     - Replace `network_mode: host` with a port mapping:
#         ports:
#           - "127.0.0.1:3201:3201"
#           - "127.0.0.1:3202:3202"
#     - This works but only on Linux — macOS/Windows Docker Desktop does NOT
#       honour the 127.0.0.1 bind address on port mappings, which means the
#       ports will be reachable from the LAN. Use a firewall rule to block
#       external access on those ports in that case.

services:
  vaultproxy:
    # Use the published image (default — headless, no dashboard, no TPM).
    # The CI workflow (.github/workflows/docker-publish.yml) publishes
    # ghcr.io/aaronckj/vaultproxy:<tag> on each version tag push.
    #
    # VAULT_PROXY_URL is automatically injected by vaultproxy into every
    # --launch child process — you do NOT need to add it to env manually.
    #
    # To build from source instead (e.g. to add the web dashboard on port 3202):
    #   Comment out `image:` below and uncomment the `build:` block:
    #
    # build:
    #   context: .
    #   args:
    #     FEATURES: dashboard
    # ports:
    #   - "127.0.0.1:3202:3202"
    image: ghcr.io/aaronckj/vaultproxy:latest
    restart: unless-stopped
    network_mode: host          # Required: proxy must bind to 127.0.0.1:3201 on the host
    volumes:
      - ./config:/config        # Encrypted keystore lives here
    environment:
      VAULT_FOLDER: vault-proxy           # Must match your Vaultwarden folder name
      PROXY_TIMEOUT: "120"
      # NTFY_URL: https://ntfy.sh/your-topic    # Optional: push alert notifications
      # LITELLM_URL: http://localhost:4000       # Optional: browser rotation feature only
    # command: ["--setup"]      # Uncomment for first-run setup wizard
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://127.0.0.1:3201/vault/health"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s