services:
  vaultwarden:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    image: vaultwarden/server
    container_name: vaultwarden 
    ports:
      - 4018:80
    networks:
      - ip6net
    environment:
      DOMAIN: "https://vaultwarden.${PUBLIC_DOMAIN}"
      SIGNUPS_ALLOWED: false 
      INVITATIONS_ALLOWED: false
      SSO_ENABLED: false # for now sso does only help companies for role management and the master password is still necessary 
      SSO_ONLY: false 
      SSO_AUTHORITY: https://auth.${PUBLIC_DOMAIN}
      SSO_SCOPES: profile email offline_access
      SSO_CLIENT_ID: vaultwarden
      SSO_CLIENT_SECRET: ${VAULTWARDEN_SSO_SECRET}
    volumes:
      - ${EXTERNAL_STORAGE}/passwords:/data/
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.vaultwarden.entrypoints=https"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
      # Middlewares
      - "traefik.http.routers.vaultwarden.middlewares=crowdsec-bouncer@file"