feat(passbolt): add Passbolt CE stack

Password manager with GPG encryption. Uses PostgreSQL for consistency with other stacks. Backed up alongside existing databases. Vaultwarden kept running during migration. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 20:00:05 +02:00
parent 31841d1ac3
commit a1f0f7091b
4 changed files with 68 additions and 1 deletions
@@ -0,0 +1,62 @@
+services:
+  passbolt:
+    image: passbolt/passbolt:latest-ce
+    container_name: passbolt
+    environment:
+      APP_FULL_BASE_URL: https://${TRAEFIK_HOST}
+      PASSBOLT_SSL_FORCE: "false"
+      PASSBOLT_REGISTRATION_PUBLIC: "false"
+      DATASOURCES_DEFAULT_HOST: db
+      DATASOURCES_DEFAULT_PORT: "5432"
+      DATASOURCES_DEFAULT_DATABASE: passbolt
+      DATASOURCES_DEFAULT_USERNAME: passbolt
+      DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD}
+      DATASOURCES_DEFAULT_DRIVER: Cake\Database\Driver\Postgres
+      EMAIL_TRANSPORT_DEFAULT_HOST: mailpit
+      EMAIL_TRANSPORT_DEFAULT_PORT: "1025"
+      EMAIL_TRANSPORT_DEFAULT_TLS: "false"
+      EMAIL_DEFAULT_FROM: passbolt@pivoine.art
+      EMAIL_DEFAULT_FROM_NAME: Passbolt
+    volumes:
+      - ../.data/passbolt/gpg:/etc/passbolt/gpg
+      - ../.data/passbolt/jwt:/etc/passbolt/jwt
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.passbolt-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.passbolt-web.middlewares=passbolt-redirect-web-secure"
+      - "traefik.http.routers.passbolt-web.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.passbolt-web.entrypoints=web"
+      - "traefik.http.routers.passbolt-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.passbolt-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.passbolt-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.passbolt-web-secure.middlewares=security-headers@file,no-index@file"
+      - "traefik.http.services.passbolt-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+    networks:
+      - compose_network
+  db:
+    image: postgres:16-alpine
+    container_name: passbolt_db
+    environment:
+      POSTGRES_DB: passbolt
+      POSTGRES_USER: passbolt
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_INITDB_ARGS: --data-checksums
+    volumes:
+      - ../.data/passbolt/db:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - compose_network
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true