vaultwarden/docker-compose.yml aktualisiert

vaultwarden/docker-compose.yml

@@ -1,27 +1,72 @@
-services:
+version: "3.9"
-  vaultwarden:
-    image: ${VW_IMAGE:-vaultwarden/server:latest}
-    restart: always
-    environment:
-      - DATABASE_URL=postgresql://${VW_POSTGRES_USER}:${VW_POSTGRES_PASSWORD}@postgres-server:5432/${VW_POSTGRES_DB}
-      - DOMAIN=${VW_URL}
-      - ADMIN_TOKEN=${VW_ADMIN_TOKEN}
-      - SIGNUPS_ALLOWED=${VW_SIGNUPS_ALLOWED}
-      - INVITATIONS_ALLOWED=${VW_INVITATIONS_ALLOWED}
-      - SHOW_PASSWORD_HINT=${VW_SHOW_HINTS}
-    ports:
-      - "${VW_PORT}:80"
-    volumes:
-      - ${VW_VOLUME}/data:/data
-    depends_on:
-      - postgres-server
 
-  postgres-server:
+services:
-    image: ${PG_IMAGE:-postgres:15-alpine}
+  # 1️⃣ Zertifikat‑Generator
-    restart: always
+  certgen:
-    environment:
+    image: alpine:3.20
-      - POSTGRES_DB=${VW_POSTGRES_DB}
+    container_name: certgen
-      - POSTGRES_USER=${VW_POSTGRES_USER}
+    # OpenSSL muss erst installiert werden
-      - POSTGRES_PASSWORD=${VW_POSTGRES_PASSWORD}
+    entrypoint: /bin/sh -c
+    command: >
+      "apk add --no-cache openssl &&
+      mkdir -p /certs/priv /certs/certs &&
+      if [ ! -f /certs/priv/privkey.pem ]; then
+        echo '🔒 Erzeuge Zertifikat...';
+        openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+          -keyout /certs/priv/privkey.pem \
+          -out /certs/certs/fullchain.pem \
+          -subj '/CN=${DOMAIN:-localhost}' \
+          -addext 'subjectAltName = DNS:${DOMAIN:-localhost}, DNS:localhost';
+      else
+        echo '🔑 Zertifikat vorhanden.';
+      fi"
     volumes:
-      - ${VW_VOLUME}/db:/var/lib/postgresql/data
+      - "${CERT_DIR:-./certs}:/certs"
+
+  # 2️⃣ PostgreSQL‑Server
+  postgres:
+    image: postgres:16-alpine
+    container_name: vaultwarden-postgres
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${POSTGRES_USER:-vaultwarden}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-vaultwarden}
+      - POSTGRES_DB=${POSTGRES_DB:-vaultwarden}
+    volumes:
+      - "${PG_DATA:-./pgdata}:/var/lib/postgresql/data"
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER:-vaultwarden}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # 3️⃣ Vaultwarden‑Service
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    depends_on:
+      certgen:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+    environment:
+      - DOMAIN=https://${DOMAIN:-localhost}
+      - WEBSOCKET_ENABLED=true
+      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-false} # Sicherheit: Standardmäßig false
+      - ADMIN_TOKEN=${ADMIN_TOKEN}
+      # TLS KONFIGURATION (Wichtig!)
+      - ROCKET_TLS={certs='//etc/ssl/certs/fullchain.pem',key='//etc/ssl/private/privkey.pem'}
+      - DATABASE_URL=postgresql://${POSTGRES_USER:-vaultwarden}:${POSTGRES_PASSWORD:-vaultwarden}@postgres:5432/${POSTGRES_DB:-vaultwarden}
+    volumes:
+      - "${VW_DATA:-./vw-data}:/data"
+      - "${CERT_DIR:-./certs}/priv/privkey.pem:/etc/ssl/private/privkey.pem:ro"
+      - "${CERT_DIR:-./certs}/certs/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro"
+    ports:
+      - "${HOST_HTTP:-443}:80" 
+    healthcheck:
+      # Da TLS aktiv ist, muss der Check gegen HTTPS laufen
+      test: ["CMD", "curl", "-f", "-k", "https://localhost:80/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3