services:
  vaultwarden:
    container_name: {{ customer }}-vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    environment:
      # Domain configuration
      DOMAIN: https://vault.{{ domain }}

      # Admin panel - generate secure token: openssl rand -base64 48
      ADMIN_TOKEN: ${ADMIN_TOKEN}

      # Signup controls - enable for initial setup, disable after first user created
      SIGNUPS_ALLOWED: "true"
      INVITATIONS_ALLOWED: "true"
      SHOW_PASSWORD_HINT: "false"

      # SSO/OpenID Connect (Keycloak integration) - disabled for initial testing
      # Enable after Keycloak is configured with vaultwarden client
      SSO_ENABLED: "false"
      # SSO_ONLY: "false"
      # SSO_AUTHORITY: https://auth.{{ domain }}/realms/{{ customer }}
      # SSO_CLIENT_ID: vaultwarden
      # SSO_CLIENT_SECRET: ${SSO_CLIENT_SECRET}
      # SSO_PKCE: "true"

      # SMTP configuration
      SMTP_HOST: mail.{{ domain }}
      SMTP_FROM: noreply@{{ domain }}
      SMTP_USERNAME: noreply@{{ domain }}
      SMTP_PASSWORD: ${SMTP_PASSWORD}
      SMTP_FROM_NAME: {{ customer | title }} Vault
      SMTP_PORT: 587
      SMTP_SECURITY: starttls
      SMTP_AUTH_MECHANISM: Login

      # Database (SQLite by default, in volume)
      DATABASE_URL: /data/db.sqlite3

      # Logging
      LOG_LEVEL: info
      EXTENDED_LOGGING: "true"

      # Security
      DISABLE_ADMIN_TOKEN: "false"
      PASSWORD_ITERATIONS: 600000

      # WebSocket for live sync
      WEBSOCKET_ENABLED: "true"

    volumes:
      - {{ customer }}-vaultwarden-data:/data
    ports:
      - "127.0.0.1:3071:80"
      - "127.0.0.1:3072:3012"
    networks:
      {{ customer }}-vaultwarden:
        ipv4_address: 172.20.34.2
    labels:
      - "diun.enable=true"

networks:
  {{ customer }}-vaultwarden:
    name: {{ customer }}-vaultwarden
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.20.34.0/28
          gateway: 172.20.34.1

volumes:
  {{ customer }}-vaultwarden-data: