services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    env_file:
      - .env
    labels:
      - traefik.enable=true
      - traefik.http.routers.vw.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.http.routers.vw.tls=true
      - traefik.http.routers.vw.entrypoints=web,websecure
      - traefik.http.routers.vw.tls.certresolver=cloudflare
      - traefik.http.middlewares.vw.headers.SSLRedirect=true
      - traefik.http.middlewares.vw.headers.STSSeconds=315360000
      - traefik.http.middlewares.vw.headers.browserXSSFilter=true
      - traefik.http.middlewares.vw.headers.contentTypeNosniff=true
      - traefik.http.middlewares.vw.headers.forceSTSHeader=true
      - traefik.http.middlewares.vw.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.vw.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.vw.headers.STSPreload=true
      - traefik.http.middlewares.vw.headers.frameDeny=true
      - traefik.http.routers.vw.middlewares=vw@docker
      - traefik.http.services.vw.loadbalancer.server.port=80
    volumes:
      - vw-data:/data/
    networks:
      - mgmt
volumes:
  vw-data:
    name: vw-data
networks:
  mgmt:
    external:
      true