docker/passbolt/docker-compose.yml

services:
  db:
    image: mariadb:12
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - ./data/database:/var/lib/mysql
    networks:
      - internal
    healthcheck:
      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s


  webapp:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - ./data/gpg:/etc/passbolt/gpg
      - ./data/jwt:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    networks:
      - traefik_reverse_proxy
      - internal
    labels:
      - "traefik.http.routers.passbolt.rule=Host(`passbolt.lan.ddnsgeek.com`)"
      - "traefik.enable=true"
      - "traefik.http.routers.passbolt.entrypoints=websecure"
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.http.routers.passbolt.middlewares=error-pages-middleware"
      - "traefik.docker.network=traefik_reverse_proxy"

#    healthcheck:
#      test: >
#        CMD-SHELL
#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
#        | grep -q "No error found"
#      interval: 30s
#      timeout: 10s
#      retries: 6
#      start_period: 120s


networks:
  traefik_reverse_proxy:
    external: true
  internal:
    driver: bridge