docker-apps/vaultwarden/stacks/compose.yml

name: vaultwarden

secrets:
  vaultwarden_postgresql_database:
    file: "${SECRETSDIR}/vaultwarden_postgresql_database"
  vaultwarden_postgresql_username:
    file: "${SECRETSDIR}/vaultwarden_postgresql_username"
  vaultwarden_postgresql_password:
    file: "${SECRETSDIR}/vaultwarden_postgresql_password"
  vaultwarden_database_url:
    file: "${SECRETSDIR}/vaultwarden_database_url"
  smtp_from:
    file: "${SECRETSDIR}/smtp_from"
  smtp_username:
    file: "${SECRETSDIR}/smtp_username"
  smtp_password:
    file: "${SECRETSDIR}/smtp_password"
  smtp_host:
    file: "${SECRETSDIR}/smtp_host"

networks:
  traefik-net:
    external: true
  vaultwarden-net:
    external: true
    
services:
  vaultwarden:
    image: vaultwarden/server:latest
    hostname: "${APPLICATION_NAME}"
    networks:
      - traefik-net
      - vaultwarden-net
    env_file: .vaultwarden.env
    secrets:
      - vaultwarden_database_url
      - smtp_from
      - smtp_username
      - smtp_password
      - smtp_host
    volumes:
      - "${DATADIR}/appdata:/data:rw"
    restart: unless-stopped
    depends_on:
      postgresql:
        condition: service_healthy
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"

  postgresql:
    image: postgres:16-alpine
    hostname: "vaultwarden_postgresql"
    env_file: .postgresql.env
    shm_size: 128mb # https://hub.docker.com/_/postgres
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      vaultwarden-net:
          aliases: ["vaultwarden_postgresql"]
    secrets:
      - ${APPLICATION_NAME}_postgresql_database
      - ${APPLICATION_NAME}_postgresql_username
      - ${APPLICATION_NAME}_postgresql_password
    volumes:
      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
      - "${DATADIR}/pgbackups:/mnt/backups"