services:
  # 1️⃣ PostgreSQL-Server
  postgres:
    image: postgres:16-alpine
    container_name: vaultwarden-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-vaultwarden}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-vaultwarden}
      - POSTGRES_DB=${POSTGRES_DB:-vaultwarden}
    volumes:
      - "${PG_DATA:-./pgdata}:/var/lib/postgresql/data"
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER:-vaultwarden}"]
      interval: 10s
      timeout: 5s
      retries: 5

  # 2️⃣ Vaultwarden-Service
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      - DOMAIN=https://${DOMAIN:-localhost}
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-false}
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      # TLS KONFIGURATION
      - ROCKET_TLS={certs="/certs/fullchain.pem",key="/certs/privkey.pem"}
      - DATABASE_URL=postgresql://${POSTGRES_USER:-vaultwarden}:${POSTGRES_PASSWORD:-vaultwarden}@postgres:5432/${POSTGRES_DB:-vaultwarden}
    volumes:
      - "${VW_DATA:-./vw-data}:/data"
      # Wir mounten den lokalen certs-Ordner direkt in den Container
      - "./certs:/certs:ro"
    ports:
      - "${HOST_HTTP:-4430}:80"
    healthcheck:
      test: ["CMD", "curl", "-f", "-k", "https://localhost:80/health"]
      interval: 30s
      timeout: 10s
      retries: 3