version: "3.9"

services:
  # 1️⃣ Zertifikat‑Generator
# 1️⃣ Zertifikat‑Generator
  certgen:
    image: alpine:3.20
    container_name: certgen
    entrypoint: /bin/sh -c
    command: |
      "apk add --no-cache openssl &&
      mkdir -p /certs/priv /certs/certs &&
      if [ ! -f /certs/priv/privkey.pem ]; then
        echo '🔒 Erzeuge Zertifikat...';
        openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
          -keyout /certs/priv/privkey.pem \
          -out /certs/certs/fullchain.pem \
          -subj '/CN=${DOMAIN:-localhost}' \
          -addext 'subjectAltName = DNS:${DOMAIN:-localhost}, DNS:localhost';
      else
        echo '🔑 Zertifikat vorhanden.';
      fi"
    volumes:
      - "${CERT_DIR:-./certs}:/certs"

  # 2️⃣ PostgreSQL‑Server
  postgres:
    image: postgres:16-alpine
    container_name: vaultwarden-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-vaultwarden}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-vaultwarden}
      - POSTGRES_DB=${POSTGRES_DB:-vaultwarden}
    volumes:
      - "${PG_DATA:-./pgdata}:/var/lib/postgresql/data"
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER:-vaultwarden}"]
      interval: 10s
      timeout: 5s
      retries: 5

  # 3️⃣ Vaultwarden‑Service
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    depends_on:
      certgen:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    environment:
      - DOMAIN=https://${DOMAIN:-localhost}
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-false} # Sicherheit: Standardmäßig false
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      # TLS KONFIGURATION (Wichtig!)
      - ROCKET_TLS={certs='//etc/ssl/certs/fullchain.pem',key='//etc/ssl/private/privkey.pem'}
      - DATABASE_URL=postgresql://${POSTGRES_USER:-vaultwarden}:${POSTGRES_PASSWORD:-vaultwarden}@postgres:5432/${POSTGRES_DB:-vaultwarden}
    volumes:
      - "${VW_DATA:-./vw-data}:/data"
      - "${CERT_DIR:-./certs}/priv/privkey.pem:/etc/ssl/private/privkey.pem:ro"
      - "${CERT_DIR:-./certs}/certs/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro"
    ports:
      - "${HOST_HTTP:-443}:80" 
    healthcheck:
      # Da TLS aktiv ist, muss der Check gegen HTTPS laufen
      test: ["CMD", "curl", "-f", "-k", "https://localhost:80/health"]
      interval: 30s
      timeout: 10s
      retries: 3