# Vaultwarden - Password Manager (Bitwarden-compatible)
# Domain: vault.{{DOMAIN}}
# Database: None (SQLite, built-in)
# RAM: ~50MB | Pi-compatible: Yes
#
# Environment variables (set in Portainer):
#   ADMIN_TOKEN     - Admin panel token (optional but recommended, generate with: openssl rand -hex 32)
#   SIGNUPS_ALLOWED - Set to "false" after creating your account(s)
#
# First-time setup:
#   1. Visit https://vault.{{DOMAIN}} and create an account
#   2. Set SIGNUPS_ALLOWED=false in Portainer env vars
#   3. Redeploy stack
#   4. Admin panel at https://vault.{{DOMAIN}}/admin (if ADMIN_TOKEN set)
#
# Clients:
#   Use any Bitwarden client (desktop, mobile, browser extension)
#   Set server URL to: https://vault.{{DOMAIN}}

services:
  vaultwarden:
    image: vaultwarden/server:1.33.2-alpine
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.{{DOMAIN}}
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
      - ADMIN_TOKEN=${ADMIN_TOKEN:-}
      - WEBSOCKET_ENABLED=true
      - TZ=Europe/Budapest
    volumes:
      - vaultwarden_data:/data
    networks:
      - traefik-public
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/alive"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.{{DOMAIN}}`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

volumes:
  vaultwarden_data:

networks:
  traefik-public:
    external: true