vault/compose.yaml

services:
  vaultwarden:
    image: ${VAULT_IMAGE:-vaultwarden/server:latest}
    container_name: ${VAULT_COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    volumes:
      - vaultwarden_data:/data
    environment:
      TZ: ${TIMEZONE:-Europe/Berlin}
      DOMAIN: https://${VAULT_TRAEFIK_HOST}
      WEBSOCKET_ENABLED: ${VAULT_WEBSOCKET_ENABLED:-true}
      SIGNUPS_ALLOWED: ${VAULT_SIGNUPS_ALLOWED:-false}
      INVITATIONS_ALLOWED: ${VAULT_INVITATIONS_ALLOWED:-true}
      SHOW_PASSWORD_HINT: ${VAULT_SHOW_PASSWORD_HINT:-false}
    networks:
      - compose_network
    labels:
      - 'traefik.enable=${VAULT_TRAEFIK_ENABLED}'
      - 'traefik.http.middlewares.${VAULT_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.middlewares=${VAULT_COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.rule=Host(`${VAULT_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${VAULT_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.${VAULT_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      - 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${VAULT_COMPOSE_PROJECT_NAME}-web-secure-compress'
      - 'traefik.http.services.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=80'
      - 'traefik.docker.network=${NETWORK_NAME}'
      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'

volumes:
  vaultwarden_data:
    name: ${VAULT_COMPOSE_PROJECT_NAME}_data

networks:
  compose_network:
    name: ${NETWORK_NAME}
    external: true
feat: add Vaultwarden password manager stack Added self-hosted password manager to The Falcon infrastructure: Vault Stack (vault.pivoine.art): - Vaultwarden (Bitwarden-compatible server) - SQLite database for password storage - WebSocket support for real-time sync - TOTP and WebAuthn/U2F 2FA support - Browser extensions and mobile apps compatible Configuration: - Domain: https://vault.pivoine.art - Signups: Disabled (invite-only for security) - Invitations: Enabled - Password hints: Disabled (security best practice) - First user becomes admin Backup Integration: - Added vaultwarden-backup plan to Restic - Schedule: 8 AM daily (same as letsencrypt) - Retention: 7 daily, 4 weekly, 12 monthly, 3 yearly - Backup volume: vault_data mounted read-only Infrastructure Updates: - Created vault/compose.yaml following stack pattern - Added VAULT_* environment variables to arty.yml - Updated compose.yaml to include vault stack - Added backup_vaultwarden_data volume to restic - Updated restic/config.json with 12th backup plan Documentation: - Added Vault to CORE SYSTEMS in README - Added to ship architecture diagram - Documented in CLAUDE.md with configuration details - Updated volume management sections - Backup count increased from 11 to 12 plans Critical data backed up with long retention (3 years yearly). Compatible with official Bitwarden clients on all platforms. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-06 11:15:12 +01:00			`services:`
			`vaultwarden:`
			`image: ${VAULT_IMAGE:-vaultwarden/server:latest}`
			`container_name: ${VAULT_COMPOSE_PROJECT_NAME}_app`
			`restart: unless-stopped`
			`volumes:`
			`- vaultwarden_data:/data`
			`environment:`
			`TZ: ${TIMEZONE:-Europe/Berlin}`
			`DOMAIN: https://${VAULT_TRAEFIK_HOST}`
			`WEBSOCKET_ENABLED: ${VAULT_WEBSOCKET_ENABLED:-true}`
			`SIGNUPS_ALLOWED: ${VAULT_SIGNUPS_ALLOWED:-false}`
			`INVITATIONS_ALLOWED: ${VAULT_INVITATIONS_ALLOWED:-true}`
			`SHOW_PASSWORD_HINT: ${VAULT_SHOW_PASSWORD_HINT:-false}`
			`networks:`
			`- compose_network`
			`labels:`
			`- 'traefik.enable=${VAULT_TRAEFIK_ENABLED}'`
			`- 'traefik.http.middlewares.${VAULT_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'`
			`- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.middlewares=${VAULT_COMPOSE_PROJECT_NAME}-redirect-web-secure'`
			- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.rule=Host(`${VAULT_TRAEFIK_HOST}`)'
			`- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web.entrypoints=web'`
			- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${VAULT_TRAEFIK_HOST}`)'
			`- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'`
			`- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'`
			`- 'traefik.http.middlewares.${VAULT_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'`
			`- 'traefik.http.routers.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${VAULT_COMPOSE_PROJECT_NAME}-web-secure-compress'`
			`- 'traefik.http.services.${VAULT_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=80'`
			`- 'traefik.docker.network=${NETWORK_NAME}'`
			`- 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'`

			`volumes:`
			`vaultwarden_data:`
			`name: ${VAULT_COMPOSE_PROJECT_NAME}_data`

			`networks:`
			`compose_network:`
			`name: ${NETWORK_NAME}`
			`external: true`