services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.ljh31.de"
      ADMIN_TOKEN: "bitte_sicheres_token_einsetzen"  # openssl rand -base64 48
      SIGNUPS_ALLOWED: "true"
      SIGNUPS_VERIFY: "false"
      WEBSOCKET_ENABLED: "true"
      LOG_LEVEL: "warn"

      # SMTP (optional)
      # SMTP_HOST: "smtp.example.com"
      # SMTP_FROM: "vaultwarden@ljh31.de"
      # SMTP_PORT: "587"
      # SMTP_SECURITY: "starttls"
      # SMTP_USERNAME: "user"
      # SMTP_PASSWORD: "passwort"

    volumes:
      - vaultwarden_data:/data

    expose:
      - "80"
      - "3012"

    networks:
      - traefik_proxy

    labels:
      # --- Traefik ---
      - "traefik.enable=true"

      # Haupt-App
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.ljh31.de`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden.service=vaultwarden-svc"
      - "traefik.http.services.vaultwarden-svc.loadbalancer.server.port=80"

      # WebSocket
      - "traefik.http.routers.vaultwarden-ws.rule=Host(`vault.ljh31.de`) && Path(`/notifications/hub`)"
      - "traefik.http.routers.vaultwarden-ws.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden-ws.tls=true"
      - "traefik.http.routers.vaultwarden-ws.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden-ws.service=vaultwarden-ws-svc"
      - "traefik.http.services.vaultwarden-ws-svc.loadbalancer.server.port=3012"

      # --- Homepage ---
      - "homepage.group=Security"
      - "homepage.name=Vaultwarden"
      - "homepage.icon=vaultwarden.png"
      - "homepage.href=https://vault.ljh31.de"
      - "homepage.description=Passwort-Manager"

volumes:
  vaultwarden_data:
    driver: local

networks:
  traefik_proxy:
    external: true