---

services:
  passwd:
    image: vaultwarden/server:latest
    volumes:
      - {{ passwd_base }}/volumes/data:/data
    environment:
      - TZ={{ timezone }}
      - DEPLOYMENT_TIME={{ deployment_time }}
      - DOMAIN=https://{{ passwd_domain }}
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true

      - SIGNUPS_ALLOWED=false
      - SIGNUPS_VERIFY=true
      - SIGNUPS_VERIFY_RESEND_TIME=3600
      - SIGNUPS_VERIFY_RESEND_LIMIT=5
      - SIGNUPS_DOMAINS_WHITELIST={{ domain }}

      - SMTP_HOST={{ mail_domain }}
      - SMTP_FROM={{ info_mail }}
      - SMTP_FROM_NAME=VaultWarden
      - SMTP_SECURITY=force_tls
      - SMTP_PORT=465
      - SMTP_USERNAME={{ info_mail_user }}
      - SMTP_PASSWORD={{ info_mail_password }}

      - YUBICO_SECRET_KEY={{ yubico_secret_key }}
      - YUBICO_CLIENT_ID={{ yubico_client_id }}
    networks:
      - proxy
    healthcheck:
      test: ["CMD", "/healthcheck.sh"]
      start_period: 10s
    deploy:
      mode: replicated
      update_config:
        parallelism: 1
        failure_action: rollback
        order: stop-first
        monitor: 30s
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.passwd.tls=true
        - traefik.http.routers.passwd.tls.certResolver=letsencrypt
        - traefik.http.routers.passwd.rule=Host(`{{ passwd_domain }}`)
        - traefik.http.routers.passwd.entrypoints=websecure
        - traefik.http.services.passwd.loadbalancer.server.port=80

networks:
  proxy:
    external: true