services:
  vaultwarden:
    image: vaultwarden/server:1.36.0@sha256:d626d04934cd1192ad8ced1adb975099fca78cec33ab467d2d3c923cde7f3b0c
    container_name: vaultwarden
    restart: unless-stopped

    environment:
      TZ: Europe/Berlin
      DOMAIN: https://vault.kaleschke.info
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "false"
      ADMIN_TOKEN_FILE: /run/secrets/admin_token
      ROCKET_PORT: 80
      ROCKET_ADDRESS: 0.0.0.0

    volumes:
      - /mnt/user/appdata/vaultwarden:/data
      - /mnt/user/appdata/secrets/vaultwarden_admin_token.txt:/run/secrets/admin_token:ro

    networks:
      - frontend_net

    security_opt:
      - no-new-privileges:true

    healthcheck:
      # vaultwarden image ships curl, not wget
      test: ["CMD-SHELL", "curl -fsS http://localhost:80/alive || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 30s

    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.vaultwarden.rule=Host(`vault.kaleschke.info`)
      - traefik.http.routers.vaultwarden.entrypoints=websecure
      - traefik.http.routers.vaultwarden.tls=true
      - traefik.http.routers.vaultwarden.tls.certresolver=le
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
      
networks:
  frontend_net:
    external: true