version: "3.9"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      # Base configuration
      - DOMAIN=${DOMAIN}
      - TZ=${TZ}
      - WEBSOCKET_ENABLED=true

      # Security
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=${ADMIN_TOKEN}

      # Logging (optional)
      - LOG_FILE=/data/vaultwarden.log
      - LOG_LEVEL=info

    volumes:
      - ./vw-data:/data

    networks:
      - traefik_default

    labels:
      - "traefik.enable=true"

      # MAIN HTTP(S) APP
      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.rozic-dev.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=web,websecure"
      - "traefik.http.routers.vaultwarden.middlewares=redirect-to-https"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

      # WEBSOCKET FOR LIVE UPDATES
      - "traefik.http.routers.vaultwarden-ws.rule=Host(`vaultwarden.rozic-dev.com`) && Path(`/notifications/hub`)"
      - "traefik.http.routers.vaultwarden-ws.entrypoints=web,websecure"
      - "traefik.http.routers.vaultwarden-ws.middlewares=redirect-to-https"
      - "traefik.http.routers.vaultwarden-ws.tls=true"
      - "traefik.http.routers.vaultwarden-ws.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012"

networks:
  traefik_default:
    external: true