From 082ee4f7afe51bd5ebef436464dfdef1f0c7fc8e Mon Sep 17 00:00:00 2001
From: nathan <nathan@castaldifamily.com>
Date: Sun, 12 Apr 2026 13:56:08 -0400
Subject: [PATCH] feat(vaultwarden): add initial Docker Compose configuration
 for Vaultwarden service

---
 nodes/heimdall/vaultwarden/compose.yaml | 52 +++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 nodes/heimdall/vaultwarden/compose.yaml

diff --git a/nodes/heimdall/vaultwarden/compose.yaml b/nodes/heimdall/vaultwarden/compose.yaml
new file mode 100644
index 0000000..8095b48
--- /dev/null
+++ b/nodes/heimdall/vaultwarden/compose.yaml
@@ -0,0 +1,52 @@
+x-info:
+  repo: https://github.com/dani-garcia/vaultwarden
+  releases: https://github.com/dani-garcia/vaultwarden/releases
+  documentation: https://github.com/dani-garcia/vaultwarden#readme
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    networks:
+      - proxy-net
+    environment:
+      DOMAIN: "https://vault.castaldifamily.com"
+      WEBSOCKET_ENABLED: "true"
+      SIGNUPS_ALLOWED: "false"
+      INVITATIONS_ALLOWED: "true"
+      ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}"  # Store in .env or vault
+      SHOW_PASSWORD_HINT: "false"
+    volumes:
+      - /mnt/appdata/vaultwarden/data:/data/
+    # ports:
+    #   - 127.0.0.1:8000:80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    labels:
+      # Enable Traefik
+      - "traefik.enable=true"
+      
+      # HTTPS Router
+      - "traefik.http.routers.vaultwarden.rule=Host(`vault.castaldifamily.com`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
+      - "traefik.http.routers.vaultwarden.service=vaultwarden"
+      
+      # Apply existing security headers + stricter rate limit for password manager
+      - "traefik.http.routers.vaultwarden.middlewares=security-headers@file,vaultwarden-ratelimit"
+      
+      # Service definition
+      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+      
+      # Custom rate limit (stricter than basic for password manager)
+      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=20"
+      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=40"
+
+networks:
+  proxy-net:
+    external: true