version: "2.3"

services:
  vaultwarden:
    image: vaultwarden/server:1.30.1-alpine
    restart: unless-stopped
    user: "{{ docker_user.id }}:{{ docker_user.id }}"
    volumes:
      - "{{ app_data_dir }}/vaultwarden/:/data"
    depends_on:
      - db
    dns:
      - 9.9.9.9
      - 149.112.112.112
    labels:
      - traefik.enable=true

      - traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.jakehoward.tech`)
      - traefik.http.routers.vaultwarden.service=vaultwarden
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80

      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=5
      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=200

      - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit
    environment:
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://vaultwarden.jakehoward.tech
      - SHOW_PASSWORD_HINT=false
      - DATABASE_URL=postgres://vaultwarden:{{ vaultwarden_database_password }}@db/vaultwarden
      - INVITATIONS_ALLOWED=false
      - ROCKET_WORKERS=2
      - EMERGENCY_ACCESS_ALLOWED=false
      - AUTHENTICATOR_DISABLE_TIME_DRIFT=true
    networks:
      - default
      - traefik

  db:
    image: postgres:14-alpine
    restart: unless-stopped
    volumes:
      - /mnt/speed/dbs/postgres/vaultwarden/:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD={{ vaultwarden_database_password }}
      - POSTGRES_USER=vaultwarden

networks:
  traefik:
    external: true