revert(passbolt): remove clock-skew patch — metadata key already created

The patched PublicKeyValidationService.php and its volume mount are
no longer needed now that the metadata key exists in the database.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -16,7 +16,7 @@ Each stack is independently deployable with its own `compose.yml` and `.env`. Al
 | `n8n` | Workflow automation & notification relay | n8n, db |
 | `gitea` | Git hosting + CI runner | gitea, runner, db |
 | `coolify` | Deployment platform | coolify, realtime, redis, db |
-| `vaultwarden` | Password manager | vaultwarden |
+| `passbolt` | Password manager (GPG-encrypted, team sharing) | passbolt, db |
 
 ## Tools
 

_backup/backup.sh

@@ -38,6 +38,7 @@ declare -A DATABASES=(
   [n8n_db]="n8n:n8n"
   [immich_db]="immich:immich"
   [coolify_db]="coolify:coolify"
+  [passbolt_db]="passbolt:passbolt"
 )
 
 dump_errors=()

passbolt/.env.example

@@ -0,0 +1,2 @@
+TRAEFIK_HOST=passbolt.example.com
+NETWORK_NAME=falcon_network

passbolt/compose.yml

@@ -0,0 +1,66 @@
+services:
+  passbolt:
+    image: passbolt/passbolt:latest-ce
+    container_name: passbolt
+    environment:
+      APP_FULL_BASE_URL: https://${TRAEFIK_HOST}
+      PASSBOLT_SSL_FORCE: "false"
+      TZ: ${TIMEZONE:-Europe/Amsterdam}
+      PASSBOLT_REGISTRATION_PUBLIC: "false"
+      DATASOURCES_DEFAULT_HOST: passbolt_db
+      DATASOURCES_DEFAULT_PORT: "5432"
+      DATASOURCES_DEFAULT_DATABASE: passbolt
+      DATASOURCES_DEFAULT_USERNAME: passbolt
+      DATASOURCES_DEFAULT_PASSWORD: passbolt
+      DATASOURCES_DEFAULT_DRIVER: Cake\Database\Driver\Postgres
+      DATASOURCES_DEFAULT_ENCODING: utf8
+      DATASOURCES_QUOTE_IDENTIFIER: "true"
+      EMAIL_TRANSPORT_DEFAULT_HOST: mailpit
+      EMAIL_TRANSPORT_DEFAULT_PORT: "1025"
+      EMAIL_TRANSPORT_DEFAULT_TLS: "false"
+      EMAIL_DEFAULT_FROM: passbolt@pivoine.art
+      EMAIL_DEFAULT_FROM_NAME: Passbolt
+    volumes:
+      - ../.data/passbolt/gpg:/etc/passbolt/gpg
+      - ../.data/passbolt/jwt:/etc/passbolt/jwt
+      - ../.data/passbolt/gnupg:/var/lib/passbolt/.gnupg
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.passbolt-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.passbolt-web.middlewares=passbolt-redirect-web-secure"
+      - "traefik.http.routers.passbolt-web.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.passbolt-web.entrypoints=web"
+      - "traefik.http.routers.passbolt-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.passbolt-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.passbolt-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.passbolt-web-secure.middlewares=security-headers@file,no-index@file"
+      - "traefik.http.services.passbolt-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+    networks:
+      - compose_network
+  db:
+    image: postgres:16-alpine
+    container_name: passbolt_db
+    environment:
+      POSTGRES_DB: passbolt
+      POSTGRES_USER: passbolt
+      POSTGRES_PASSWORD: passbolt
+      POSTGRES_INITDB_ARGS: --data-checksums
+    volumes:
+      - ../.data/passbolt/db:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - compose_network
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

vaultwarden/.env.example

@@ -1,3 +0,0 @@
-TRAEFIK_HOST=vault.example.com
-NETWORK_NAME=falcon_network
-SMTP_FROM=vaultwarden@example.com

vaultwarden/compose.yml

@@ -1,37 +0,0 @@
-services:
-  vaultwarden:
-    image: vaultwarden/server:latest
-    container_name: vaultwarden
-    environment:
-      TZ: ${TIMEZONE:-Europe/Amsterdam}
-      DOMAIN: https://${TRAEFIK_HOST}
-      WEBSOCKET_ENABLED: "true"
-      SIGNUPS_ALLOWED: "true"
-      INVITATIONS_ALLOWED: "true"
-      SHOW_PASSWORD_HINT: "false"
-      SMTP_HOST: mailpit
-      SMTP_FROM: ${SMTP_FROM}
-      SMTP_FROM_NAME: Vaultwarden
-      SMTP_SECURITY: off
-      SMTP_PORT: 1025
-    volumes:
-      - ../.data/vaultwarden:/data
-    restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.vaultwarden-redirect-web-secure.redirectscheme.scheme=https"
-      - "traefik.http.routers.vaultwarden-web.middlewares=vaultwarden-redirect-web-secure"
-      - "traefik.http.routers.vaultwarden-web.rule=Host(`${TRAEFIK_HOST}`)"
-      - "traefik.http.routers.vaultwarden-web.entrypoints=web"
-      - "traefik.http.routers.vaultwarden-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
-      - "traefik.http.routers.vaultwarden-web-secure.tls.certresolver=resolver"
-      - "traefik.http.routers.vaultwarden-web-secure.entrypoints=web-secure"
-      - "traefik.http.routers.vaultwarden-web-secure.middlewares=security-headers@file,no-index@file"
-      - "traefik.http.services.vaultwarden-web-secure.loadbalancer.server.port=80"
-      - "traefik.docker.network=${NETWORK_NAME}"
-    networks:
-      - compose_network
-networks:
-  compose_network:
-    name: ${NETWORK_NAME}
-    external: true