services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    networks:
      - traefik-public
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault.rule=Host(`vault.speerfam.net`)"
      - "traefik.http.routers.vault.entrypoints=websecure"
      - "traefik.http.routers.vault.tls.certresolver=myresolver"
      
      # Pulling the security rules dynamically from our file provider setup
      - "traefik.http.routers.vault.middlewares=geoblock-policy@file,crowdsec-policy@file,secure-headers@file"
      - "traefik.http.services.vault.loadbalancer.server.port=8001"
    restart: always
    environment:
#      - WEBSOCKET_ENABLED=true
      - ROCKET_PORT=8001
#      - SIGNUPS_ALLOWED=true
      - SIGNUPS_VERIFY=false
      - INVITATIONS_ALLOWED=false
      - DOMAIN=https://vault.speerfam.net
#      - ADMIN_TOKEN=aXTrkbTvFALmcMj98937LTrQ3CCPht
      - SHOW_PASSWORD_HINT=true
      - SMTP_HOST=smtp.sendgrid.net
      - SMTP_FROM=vault@speerfam.net
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=apikey
      - SMTP_PASSWORD=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
      - SMTP_AUTH_MECHANISM="Login"
    volumes:
      - /srv/docker/vaultwarden/data:/data
    ports:
#      - 3012:3012
#      - 127.0.0.1:8001:8001
      - 8001:8001

networks:
  traefik-public:
    external: true