version: "3.8"
services:
  bitwarden:
    image: vaultwarden/server
    container_name: bitwarden
    command:
      - /start.sh
    environment:
      - TZ=America/Montreal
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
      # Vaultwarden env var DOMAIN — the ${DOMAIN} on the RHS is expanded
      # by docker compose before the env var is set, so this resolves to
      # DOMAIN=https://pass.lazyworkhorse.net in production.
      - DOMAIN=https://pass.${DOMAIN}
    volumes:
      - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
    networks:
      - passman_net
    restart: always
    labels:
      - "traefik.enable=true"

      # HTTP → HTTPS
      - "traefik.http.routers.pass-http.rule=Host(`pass.${DOMAIN}`)"
      - "traefik.http.routers.pass-http.entrypoints=web"
      - "traefik.http.routers.pass-http.middlewares=redirect-to-https"

      # HTTPS
      - "traefik.http.routers.pass-https.rule=Host(`pass.${DOMAIN}`)"
      - "traefik.http.routers.pass-https.entrypoints=websecure"
      - "traefik.http.routers.pass-https.tls=true"
      - "traefik.http.routers.pass-https.tls.certresolver=njalla"

      # Internal service
      - "traefik.http.services.pass.loadbalancer.server.port=80"
networks:
  passman_net:
    external: true