version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    # Run as the defined Synology user to prevent root file ownership
    user: "${PUID}:${PGID}"
    environment:
      # General
      - WEBSOCKET_ENABLED=true
      - DOMAIN=${DOMAIN}
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED}
      # Email (Optional but recommended for invitations & 2FA)
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_FROM=${SMTP_FROM}
      - SMTP_FROM_NAME=${SMTP_FROM_NAME}
      - SMTP_SECURITY=${SMTP_SECURITY:-starttls}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      # Admin Panel
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      # Required for running as non-root (cannot bind to port 80)
      - ROCKET_PORT=8080
    volumes:
      - /volume1/docker/vaultwarden/data:/data:rw
    ports:
      - "8020:8080" # Web UI
      # Note: Vaultwarden integrates the WebSocket server into the main process in recent versions,
      # so exposing port 3012 is no longer required for typical setups unless using reverse proxy splitting.