services:
  vaultwarden:
    container_name: vaultwarden
    image: ghcr.io/polarix-containers/vaultwarden:latest
    restart: always
    volumes:
      - /home/titanz/vaultwarden:/data:Z
    ports:
      - "8081:8080/tcp"
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - PUSH_ENABLED=true
      - PUSH_INSTALLATION_ID=${PUSH_INSTALLATION_ID}
      - PUSH_INSTALLATION_KEY=${PUSH_INSTALLATION_KEY}
      - DOMAIN=${DOMAIN}
      - ROCKET_PORT=8080
      - DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_USER}
      - YUBICO_CLIENT_ID=82851
      - YUBICO_SECRET_KEY=mLPiA1hxQGOan61RXAtL63xLrLE=
    user: "3001:3001"
    read_only: true
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL

  postgres:
    container_name: vaultwarden-postgres
    image: ghcr.io/polarix-containers/postgres:17
    restart: always
    volumes:
      - ./postgres:/var/lib/postgresql/data:Z
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "vaultwarden"]
      interval: 15s
      timeout: 5s
    user: "70:70"
    read_only: true
    tmpfs:
      - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
    security_opt:
      - "no-new-privileges=true"