# Vaultwarden - Password Manager (Bitwarden-compatible)
# Domain: ${SUBDOMAIN}.${DOMAIN}
# Database: None (SQLite, built-in)
# RAM: ~50MB (mem_limit: 256M) | Pi-compatible: Yes
#
# Environment variables:
#   DOMAIN            - Your domain (e.g., demo-felhom.eu)
#   ADMIN_TOKEN       - Admin panel token (auto-generated)
#   SIGNUPS_ALLOWED   - Set to "false" after creating your account(s)
#
# First-time setup:
#   1. Visit https://${SUBDOMAIN}.${DOMAIN} and create an account
#   2. Set SIGNUPS_ALLOWED=false via the controller
#   3. Admin panel at https://${SUBDOMAIN}.${DOMAIN}/admin (if ADMIN_TOKEN set)
#
# Clients:
#   Use any Bitwarden client (desktop, mobile, browser extension)
#   Set server URL to: https://${SUBDOMAIN}.${DOMAIN}

services:
  vaultwarden:
    image: vaultwarden/server:1.33.2-alpine
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://${SUBDOMAIN}.${DOMAIN}
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
      - ADMIN_TOKEN=${ADMIN_TOKEN:-}
      - WEBSOCKET_ENABLED=true
      - TZ=Europe/Budapest
    volumes:
      - vaultwarden_data:/data
    networks:
      - traefik-public
    deploy:
      resources:
        limits:
          memory: 256M
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/alive"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`${SUBDOMAIN}.${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

volumes:
  vaultwarden_data:

networks:
  traefik-public:
    external: true