homelab-infra/security/vaultwarden/docker-compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:1.35.7@sha256:9a8eec71f4a52411cc43edc7a50f33e9b6f62b5baca0dd95f0c6e7fd60f1a341
    container_name: vaultwarden
    restart: unless-stopped

    environment:
      TZ: Europe/Berlin
      DOMAIN: https://vault.kaleschke.info
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "false"
      ADMIN_TOKEN_FILE: /run/secrets/admin_token
      ROCKET_PORT: 80
      ROCKET_ADDRESS: 0.0.0.0

    volumes:
      - /mnt/user/appdata/vaultwarden:/data
      - /mnt/user/appdata/secrets/vaultwarden_admin_token.txt:/run/secrets/admin_token:ro

    networks:
      - frontend_net

    security_opt:
      - no-new-privileges:true

    healthcheck:
      # vaultwarden image ships curl, not wget
      test: ["CMD-SHELL", "curl -fsS http://localhost:80/alive || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 30s

    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.vaultwarden.rule=Host(`vault.kaleschke.info`)
      - traefik.http.routers.vaultwarden.entrypoints=websecure
      - traefik.http.routers.vaultwarden.tls=true
      - traefik.http.routers.vaultwarden.tls.certresolver=le
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
      
networks:
  frontend_net:
    external: true