diff --git a/.env.example b/.env.example
index a609fef..1b5b1c7 100644
--- a/.env.example
+++ b/.env.example
@@ -1,2 +1,5 @@
-DOMAIN=
-ADMIN_TOKEN=
+DOMAIN=domain.tld
+ADMIN_TOKEN=  # Générer avec: openssl rand -base64 48
+SMTP_HOST=smtp.domain.tld
+SMTP_PORT=587
+SMTP_FROM=vaultwarden@domain.tld
diff --git a/docker-compose.yml b/docker-compose.yml
index 99ffc37..1492a75 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,6 +3,15 @@ services:
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    read_only: false
     environment:
       - DOMAIN=${DOMAIN}
       - SIGNUPS_ALLOWED=false
@@ -20,6 +29,12 @@ services:
       # Notifications
       - SENDS_ALLOWED=true
       # - EMERGENCY_ACCESS_ALLOWED=true
+      #
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_FROM=${SMTP_FROM}
+      - SMTP_USERNAME=${SMTP_USER}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
@@ -27,6 +42,18 @@ services:
       - "traefik.http.routers.vaultwarden.tls=true"
       - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
       - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "0.5"
+        reservations:
+          memory: 128M
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
     volumes:
       - ./data:/data
     networks: