72 lines
2.5 KiB
YAML
72 lines
2.5 KiB
YAML
version: "3.9"
|
||
|
||
services:
|
||
# 1️⃣ Zertifikat‑Generator
|
||
certgen:
|
||
image: alpine:3.20
|
||
container_name: certgen
|
||
# OpenSSL muss erst installiert werden
|
||
entrypoint: /bin/sh -c
|
||
command: >
|
||
"apk add --no-cache openssl &&
|
||
mkdir -p /certs/priv /certs/certs &&
|
||
if [ ! -f /certs/priv/privkey.pem ]; then
|
||
echo '🔒 Erzeuge Zertifikat...';
|
||
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
|
||
-keyout /certs/priv/privkey.pem \
|
||
-out /certs/certs/fullchain.pem \
|
||
-subj '/CN=${DOMAIN:-localhost}' \
|
||
-addext 'subjectAltName = DNS:${DOMAIN:-localhost}, DNS:localhost';
|
||
else
|
||
echo '🔑 Zertifikat vorhanden.';
|
||
fi"
|
||
volumes:
|
||
- "${CERT_DIR:-./certs}:/certs"
|
||
|
||
# 2️⃣ PostgreSQL‑Server
|
||
postgres:
|
||
image: postgres:16-alpine
|
||
container_name: vaultwarden-postgres
|
||
restart: unless-stopped
|
||
environment:
|
||
- POSTGRES_USER=${POSTGRES_USER:-vaultwarden}
|
||
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-vaultwarden}
|
||
- POSTGRES_DB=${POSTGRES_DB:-vaultwarden}
|
||
volumes:
|
||
- "${PG_DATA:-./pgdata}:/var/lib/postgresql/data"
|
||
healthcheck:
|
||
test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER:-vaultwarden}"]
|
||
interval: 10s
|
||
timeout: 5s
|
||
retries: 5
|
||
|
||
# 3️⃣ Vaultwarden‑Service
|
||
vaultwarden:
|
||
image: vaultwarden/server:latest
|
||
container_name: vaultwarden
|
||
restart: unless-stopped
|
||
depends_on:
|
||
certgen:
|
||
condition: service_completed_successfully
|
||
postgres:
|
||
condition: service_healthy
|
||
environment:
|
||
- DOMAIN=https://${DOMAIN:-localhost}
|
||
- WEBSOCKET_ENABLED=true
|
||
- SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-false} # Sicherheit: Standardmäßig false
|
||
- ADMIN_TOKEN=${ADMIN_TOKEN}
|
||
# TLS KONFIGURATION (Wichtig!)
|
||
- ROCKET_TLS={certs='//etc/ssl/certs/fullchain.pem',key='//etc/ssl/private/privkey.pem'}
|
||
- DATABASE_URL=postgresql://${POSTGRES_USER:-vaultwarden}:${POSTGRES_PASSWORD:-vaultwarden}@postgres:5432/${POSTGRES_DB:-vaultwarden}
|
||
volumes:
|
||
- "${VW_DATA:-./vw-data}:/data"
|
||
- "${CERT_DIR:-./certs}/priv/privkey.pem:/etc/ssl/private/privkey.pem:ro"
|
||
- "${CERT_DIR:-./certs}/certs/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro"
|
||
ports:
|
||
- "${HOST_HTTP:-443}:80"
|
||
healthcheck:
|
||
# Da TLS aktiv ist, muss der Check gegen HTTPS laufen
|
||
test: ["CMD", "curl", "-f", "-k", "https://localhost:80/health"]
|
||
interval: 30s
|
||
timeout: 10s
|
||
retries: 3 |