homeserver/passbolt/docker-compose.yml

name: passbolt
services:
  passbolt-db:
    image: mariadb:10.11
    container_name: ${CONTAINER_NAME}-db
    restart: ${RESTART_POLICY}
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 5s
      retries: 10
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
      - MYSQL_USER=${DB_USER}
      - MYSQL_PASSWORD=${DB_PASSWORD}
    volumes:
      - type: bind
        source: ${DB_PATH}
        target: /var/lib/mysql
        bind:
          create_host_path: true
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    networks:
      - internal_net

  passbolt:
    image: passbolt/passbolt:latest-ce
    container_name: ${CONTAINER_NAME}
    restart: ${RESTART_POLICY}
    depends_on:
      passbolt-db:
        condition: service_healthy
    environment:
      - APP_FULL_BASE_URL=https://${SUBDOMAIN}.${DOMAIN} 
      - DB_HOST=passbolt-db
      - DB_USER=${DB_USER}
      - DB_PASSWORD=${DB_PASSWORD}
      - DB_DATABASE=${DB_DATABASE}
      - EMAIL_DEFAULT_TRANSPORT=${EMAIL_TRANSPORT}
      - PASSBOLT_SSL_FORCE=true
      - PASSBOLT_SECURITY_SSL_PROXY=true
      - PASSBOLT_EMAIL_VALIDATE_MX=false
      - PASSBOLT_FORCE_BASE_URL=https://${SUBDOMAIN}.${DOMAIN}
    volumes:
      - type: bind
        source: ${PGP_PATH}
        target: /etc/passbolt/gpg
        bind:
          create_host_path: true
      - type: bind
        source: ${JWT_PATH}
        target: /etc/passbolt/jwt
        bind:
          create_host_path: true
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    networks:
      - traefik
      - internal_net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${ROUTER_NAME}.rule=Host(`${SUBDOMAIN}.${DOMAIN}`)"
      - "traefik.http.routers.${ROUTER_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${ROUTER_NAME}.tls=true"
      - "traefik.http.routers.${ROUTER_NAME}.tls.certresolver=${CERTIFICATE_RESOLVER}"
      - "traefik.http.services.${ROUTER_NAME}.loadbalancer.server.port=80"
      - "traefik.docker.network=${TRAEFIK_NETWORK}"

      - "traefik.http.routers.${ROUTER_NAME}.middlewares=passbolt-headers@docker"
      - "traefik.http.middlewares.passbolt-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

networks:
  traefik:
    name: traefik
    external: true
  internal_net:
    driver: bridge
    name: passbolt_internal_net