2026-04-01 08:14:17 +00:00
|
|
|
|
version: "3.9"
|
|
|
|
|
|
|
2026-03-28 10:32:15 +00:00
|
|
|
|
services:
|
2026-04-01 08:14:17 +00:00
|
|
|
|
# 1️⃣ Zertifikat‑Generator
|
2026-04-01 08:35:36 +00:00
|
|
|
|
# 1️⃣ Zertifikat‑Generator
|
2026-04-01 08:14:17 +00:00
|
|
|
|
certgen:
|
|
|
|
|
|
image: alpine:3.20
|
|
|
|
|
|
container_name: certgen
|
|
|
|
|
|
entrypoint: /bin/sh -c
|
2026-04-01 08:35:36 +00:00
|
|
|
|
command: |
|
2026-04-01 08:14:17 +00:00
|
|
|
|
"apk add --no-cache openssl &&
|
|
|
|
|
|
mkdir -p /certs/priv /certs/certs &&
|
|
|
|
|
|
if [ ! -f /certs/priv/privkey.pem ]; then
|
|
|
|
|
|
echo '🔒 Erzeuge Zertifikat...';
|
|
|
|
|
|
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
|
|
|
|
|
|
-keyout /certs/priv/privkey.pem \
|
|
|
|
|
|
-out /certs/certs/fullchain.pem \
|
|
|
|
|
|
-subj '/CN=${DOMAIN:-localhost}' \
|
|
|
|
|
|
-addext 'subjectAltName = DNS:${DOMAIN:-localhost}, DNS:localhost';
|
|
|
|
|
|
else
|
|
|
|
|
|
echo '🔑 Zertifikat vorhanden.';
|
|
|
|
|
|
fi"
|
|
|
|
|
|
volumes:
|
|
|
|
|
|
- "${CERT_DIR:-./certs}:/certs"
|
|
|
|
|
|
|
|
|
|
|
|
# 2️⃣ PostgreSQL‑Server
|
|
|
|
|
|
postgres:
|
|
|
|
|
|
image: postgres:16-alpine
|
|
|
|
|
|
container_name: vaultwarden-postgres
|
|
|
|
|
|
restart: unless-stopped
|
2026-03-28 10:32:15 +00:00
|
|
|
|
environment:
|
2026-04-01 08:14:17 +00:00
|
|
|
|
- POSTGRES_USER=${POSTGRES_USER:-vaultwarden}
|
|
|
|
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-vaultwarden}
|
|
|
|
|
|
- POSTGRES_DB=${POSTGRES_DB:-vaultwarden}
|
2026-03-28 10:32:15 +00:00
|
|
|
|
volumes:
|
2026-04-01 08:14:17 +00:00
|
|
|
|
- "${PG_DATA:-./pgdata}:/var/lib/postgresql/data"
|
|
|
|
|
|
healthcheck:
|
|
|
|
|
|
test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER:-vaultwarden}"]
|
|
|
|
|
|
interval: 10s
|
|
|
|
|
|
timeout: 5s
|
|
|
|
|
|
retries: 5
|
2026-03-28 10:32:15 +00:00
|
|
|
|
|
2026-04-01 08:14:17 +00:00
|
|
|
|
# 3️⃣ Vaultwarden‑Service
|
|
|
|
|
|
vaultwarden:
|
|
|
|
|
|
image: vaultwarden/server:latest
|
|
|
|
|
|
container_name: vaultwarden
|
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
|
depends_on:
|
|
|
|
|
|
certgen:
|
|
|
|
|
|
condition: service_completed_successfully
|
|
|
|
|
|
postgres:
|
|
|
|
|
|
condition: service_healthy
|
2026-03-28 10:32:15 +00:00
|
|
|
|
environment:
|
2026-04-01 08:14:17 +00:00
|
|
|
|
- DOMAIN=https://${DOMAIN:-localhost}
|
|
|
|
|
|
- WEBSOCKET_ENABLED=true
|
|
|
|
|
|
- SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-false} # Sicherheit: Standardmäßig false
|
|
|
|
|
|
- ADMIN_TOKEN=${ADMIN_TOKEN}
|
|
|
|
|
|
# TLS KONFIGURATION (Wichtig!)
|
|
|
|
|
|
- ROCKET_TLS={certs='//etc/ssl/certs/fullchain.pem',key='//etc/ssl/private/privkey.pem'}
|
|
|
|
|
|
- DATABASE_URL=postgresql://${POSTGRES_USER:-vaultwarden}:${POSTGRES_PASSWORD:-vaultwarden}@postgres:5432/${POSTGRES_DB:-vaultwarden}
|
2026-03-28 10:32:15 +00:00
|
|
|
|
volumes:
|
2026-04-01 08:14:17 +00:00
|
|
|
|
- "${VW_DATA:-./vw-data}:/data"
|
|
|
|
|
|
- "${CERT_DIR:-./certs}/priv/privkey.pem:/etc/ssl/private/privkey.pem:ro"
|
|
|
|
|
|
- "${CERT_DIR:-./certs}/certs/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro"
|
|
|
|
|
|
ports:
|
|
|
|
|
|
- "${HOST_HTTP:-443}:80"
|
|
|
|
|
|
healthcheck:
|
|
|
|
|
|
# Da TLS aktiv ist, muss der Check gegen HTTPS laufen
|
|
|
|
|
|
test: ["CMD", "curl", "-f", "-k", "https://localhost:80/health"]
|
|
|
|
|
|
interval: 30s
|
|
|
|
|
|
timeout: 10s
|
|
|
|
|
|
retries: 3
|