Améliorer la sécurité et la configuration Docker

- Ajouter les capabilities Linux (cap_drop/cap_add) pour limiter les privilèges
- Configurer les limites de ressources (256M RAM, 0.5 CPU)
- Ajouter un healthcheck pour surveiller l'état du service
- Configurer les variables SMTP pour la récupération de mot de passe
- Documenter .env.example avec des exemples et instructions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docker-compose.yml

@@ -3,6 +3,15 @@ services:
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    read_only: false
     environment:
       - DOMAIN=${DOMAIN}
       - SIGNUPS_ALLOWED=false
@@ -20,6 +29,12 @@ services:
       # Notifications
       - SENDS_ALLOWED=true
       # - EMERGENCY_ACCESS_ALLOWED=true
+      #
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_FROM=${SMTP_FROM}
+      - SMTP_USERNAME=${SMTP_USER}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.vaultwarden.rule=Host(`${DOMAIN}`)"
@@ -27,6 +42,18 @@ services:
       - "traefik.http.routers.vaultwarden.tls=true"
       - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
       - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "0.5"
+        reservations:
+          memory: 128M
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
     volumes:
       - ./data:/data
     networks: