services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    networks:
      - traefik
    volumes:
      - ./data:/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - DATABASE_URL=${DATABASE_URL}
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://${DOMAIN}
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_FROM=${SMTP_FROM}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_SECURITY=${SMTP_SECURITY}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
    labels:
      - "traefik.enable=true"

      # Vaultwarden-specific security headers
      - "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-XSS-Protection=0"
      - "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.Referrer-Policy=same-origin"
      - "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Robots-Tag=noindex, nofollow"
      - "traefik.http.middlewares.vaultwarden-headers.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"

      # HTTP to HTTPS redirect
      - "traefik.http.routers.vaultwarden-http.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden-http.entrypoints=http"
      - "traefik.http.routers.vaultwarden-http.service=vaultwarden"
      - "traefik.http.routers.vaultwarden-http.priority=100"
      - "traefik.http.routers.vaultwarden-http.middlewares=redirect-to-https@docker"

      # Main HTTP/HTTPS router
      - "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden.entrypoints=https"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden.service=vaultwarden"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      - "traefik.http.routers.vaultwarden.middlewares=geoblock@file,vaultwarden-headers,crowdsec-bouncer@file"

      # WebSocket router (required for real-time sync)
      - "traefik.http.routers.vaultwarden-ws.rule=Host(`${DOMAIN}`) && Path(`/notifications/hub`)"
      - "traefik.http.routers.vaultwarden-ws.entrypoints=https"
      - "traefik.http.routers.vaultwarden-ws.tls=true"
      - "traefik.http.routers.vaultwarden-ws.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden-ws.service=vaultwarden-ws"
      - "traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012"
      - "traefik.http.routers.vaultwarden-ws.middlewares=geoblock@file,crowdsec-bouncer@file"

      # Admin panel router (restricted to internal IPs)
      - "traefik.http.routers.vaultwarden-admin.rule=Host(`${DOMAIN}`) && PathPrefix(`/admin`)"
      - "traefik.http.routers.vaultwarden-admin.entrypoints=https"
      - "traefik.http.routers.vaultwarden-admin.tls=true"
      - "traefik.http.routers.vaultwarden-admin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.vaultwarden-admin.service=vaultwarden"
      - "traefik.http.routers.vaultwarden-admin.middlewares=internal-whitelist@file,crowdsec-bouncer@file"

networks:
  traefik:
    external: true