x-info:
  repo: https://github.com/dani-garcia/vaultwarden
  releases: https://github.com/dani-garcia/vaultwarden/releases
  documentation: https://github.com/dani-garcia/vaultwarden#readme

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    networks:
      - proxy-net
    environment:
      DOMAIN: "https://vault.castaldifamily.com"
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "true"
      ADMIN_TOKEN: "${VAULTWARDEN_ADMIN_TOKEN}"  # Store in .env or vault
      SHOW_PASSWORD_HINT: "false"
    volumes:
      - /mnt/appdata/vaultwarden/data:/data/
    # ports:
    #   - 127.0.0.1:8000:80
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    labels:
      # Enable Traefik
      - "traefik.enable=true"
      
      # HTTPS Router
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.castaldifamily.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
      - "traefik.http.routers.vaultwarden.service=vaultwarden"
      
      # Apply existing security headers + stricter rate limit for password manager
      - "traefik.http.routers.vaultwarden.middlewares=security-headers@file,vaultwarden-ratelimit"
      
      # Service definition
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      
      # Custom rate limit (stricter than basic for password manager)
      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=20"
      - "traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=40"

networks:
  proxy-net:
    external: true