---
version: "3"

services:
  bitwarden:
    image: vaultwarden/server:1.25.2
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - ${STORAGE_BASE_PATH}:/data
    ports:
      - 8099:80
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bitwarden.rule=Host(`${HOST_URL}`) && (PathPrefix(`/vault`))"
      - "traefik.http.routers.bitwarden.entrypoints=websecure"
      - "traefik.http.routers.bitwarden.tls.certresolver=default"
      - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
      - "traefik.http.routers.bitwarden.service=bitwarden"
      - "traefik.http.routers.bitwarden_admin.rule=Host(`${HOST_URL}`) && (PathPrefix(`/vault/admin`))"
      - "traefik.http.routers.bitwarden_admin.entrypoints=websecure"
      - "traefik.http.routers.bitwarden_admin.tls.certresolver=default"
      - "traefik.http.services.bitwarden_admin.loadbalancer.server.port=80"
      - "traefik.http.routers.bitwarden_admin.service=bitwarden_admin"
      - "traefik.http.routers.bitwarden.middlewares=secHeaders@file"
      - "traefik.http.routers.bitwarden_websocket-secure.entrypoints=websecure"
      - "traefik.http.routers.bitwarden_websocket-secure.rule=Host(`${HOST_URL}`) && Path(`/vault/notifications/hub`)"
      - "traefik.http.routers.bitwarden_websocket-secure.tls=true"
      - "traefik.http.routers.bitwarden_websocket-secure.service=bitwarden_websocket"
      - "traefik.http.services.bitwarden_websocket.loadbalancer.server.port=3012"
    environment:
#      - "ADMIN_TOKEN=MTZRNK2u7z+6ldN5YcTz05f0lGOqzAQUBWBHRVE8ylTEEP9YyTc"
      - "ADMIN_TOKEN=${ADMIN_TOKEN}"
      - "WEBSOCKET_ENABLED=true"
      - "WEB_VAULT_ENABLED=true"
      - "DOMAIN=${DOMAIN}"
      - "SIGNUPS_ALLOWED=false"
    networks:
      - traefik_proxy

networks:
  traefik_proxy:
    external:
      name: traefik_proxy