From 8aecc5005aac7510b9836ad0622ffab8510916dc Mon Sep 17 00:00:00 2001
From: BeauTroll <->
Date: Mon, 22 Dec 2025 18:41:15 +0100
Subject: [PATCH] =?UTF-8?q?Am=C3=A9liorer=20la=20s=C3=A9curit=C3=A9=20et?=
 =?UTF-8?q?=20la=20configuration=20Docker?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Ajouter les capabilities Linux (cap_drop/cap_add) pour limiter les privilèges
- Configurer les limites de ressources (256M RAM, 0.5 CPU)
- Ajouter un healthcheck pour surveiller l'état du service
- Configurer les variables SMTP pour la récupération de mot de passe
- Documenter .env.example avec des exemples et instructions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .env.example       |  7 +++++--
 docker-compose.yml | 27 +++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index a609fef..1b5b1c7 100644
--- a/.env.example
+++ b/.env.example
@@ -1,2 +1,5 @@
-DOMAIN=
-ADMIN_TOKEN=
+DOMAIN=domain.tld
+ADMIN_TOKEN=  # Générer avec: openssl rand -base64 48
+SMTP_HOST=smtp.domain.tld
+SMTP_PORT=587
+SMTP_FROM=vaultwarden@domain.tld
diff --git a/docker-compose.yml b/docker-compose.yml
index 99ffc37..1492a75 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,6 +3,15 @@ services:
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    read_only: false
     environment:
       - DOMAIN=${DOMAIN}
       - SIGNUPS_ALLOWED=false
@@ -20,6 +29,12 @@ services:
       # Notifications
       - SENDS_ALLOWED=true
       # - EMERGENCY_ACCESS_ALLOWED=true
+      #
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_FROM=${SMTP_FROM}
+      - SMTP_USERNAME=${SMTP_USER}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
@@ -27,6 +42,18 @@ services:
       - "traefik.http.routers.vaultwarden.tls=true"
       - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
       - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "0.5"
+        reservations:
+          memory: 128M
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
     volumes:
       - ./data:/data
     networks: