version: '3.7'

services:
  vaultwarden:
    image: vaultwarden/server:1.30.5
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - ${APP_PORT}:80
    environment:
      - WEBSOCKET_ENABLED=true
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_PASSWORD}
    volumes:
      - ${APP_DATA_DIR}/data:/data
    networks:
      - tipi_main_network
    labels:
      # Main
      traefik.enable: true
      traefik.http.middlewares.vaultwarden-web-redirect.redirectscheme.scheme: https
      traefik.http.services.vaultwarden.loadbalancer.server.port: 80
      # Web
      traefik.http.routers.vaultwarden-insecure.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.vaultwarden-insecure.entrypoints: web
      traefik.http.routers.vaultwarden-insecure.service: vaultwarden
      traefik.http.routers.vaultwarden-insecure.middlewares: vaultwarden-web-redirect
      # Websecure
      traefik.http.routers.vaultwarden.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.vaultwarden.entrypoints: websecure
      traefik.http.routers.vaultwarden.service: vaultwarden
      traefik.http.routers.vaultwarden.tls.certresolver: myresolver
      # Local domain
      traefik.http.routers.vaultwarden-local-insecure.rule: Host(`vaultwarden.${LOCAL_DOMAIN}`)
      traefik.http.routers.vaultwarden-local-insecure.entrypoints: web
      traefik.http.routers.vaultwarden-local-insecure.service: vaultwarden
      traefik.http.routers.vaultwarden-local-insecure.middlewares: vaultwarden-web-redirect
      # Local domain secure
      traefik.http.routers.vaultwarden-local.rule: Host(`vaultwarden.${LOCAL_DOMAIN}`)
      traefik.http.routers.vaultwarden-local.entrypoints: websecure
      traefik.http.routers.vaultwarden-local.service: vaultwarden
      traefik.http.routers.vaultwarden-local.tls: true