feat(vaultwarden): add initial Docker Compose configuration for Vaultwarden service

nodes/heimdall/vaultwarden/compose.yaml

@@ -0,0 +1,52 @@
+x-info:
+  repo: https://github.com/dani-garcia/vaultwarden
+  releases: https://github.com/dani-garcia/vaultwarden/releases
+  documentation: https://github.com/dani-garcia/vaultwarden#readme
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    networks:
+      - proxy-net
+    environment:
+      DOMAIN: "https://vault.castaldifamily.com"
+      WEBSOCKET_ENABLED: "true"
+      SIGNUPS_ALLOWED: "false"
+      INVITATIONS_ALLOWED: "true"
+      ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}"  # Store in .env or vault
+      SHOW_PASSWORD_HINT: "false"
+    volumes:
+      - /mnt/appdata/vaultwarden/data:/data/
+    # ports:
+    #   - 127.0.0.1:8000:80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    labels:
+      # Enable Traefik
+      - "traefik.enable=true"
+      
+      # HTTPS Router
+      - "traefik.http.routers.vaultwarden.rule=Host(`vault.castaldifamily.com`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
+      - "traefik.http.routers.vaultwarden.service=vaultwarden"
+      
+      # Apply existing security headers + stricter rate limit for password manager
+      - "traefik.http.routers.vaultwarden.middlewares=security-headers@file,vaultwarden-ratelimit"
+      
+      # Service definition
+      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+      
+      # Custom rate limit (stricter than basic for password manager)
+      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=20"
+      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=40"
+
+networks:
+  proxy-net:
+    external: true