Bitwarden server API implementation written in Rust running via docker compose Traefik as proxy in front

.env

# tr -dc A-Za-z0-9 </dev/urandom | head -c 12 ; echo ''
TRAEFIK_HASH=H6UNStXJUAX5
TRAEFIK_PROJECT=bitwarden
TRAEFIK_SERVICE_01=bitwarden

bitwarden.service

[Unit]
Description=Bitwarden RS Service
After=network.target docker.service traefik.service
Requires=docker.service

[Service]
#Type=simple
Type=oneshot                                                                    
RemainAfterExit=yes

Environment="WORK_DIR=/srv/docker/bitwarden/"
WorkingDirectory=/srv/docker/bitwarden/
ExecStartPre=-/usr/local/bin/docker-compose -f "${WORK_DIR}/docker-compose.yml" -f "${WORK_DIR}/container.conf/production.yml" down
ExecStartPre=-/usr/local/bin/docker-compose -f "${WORK_DIR}/docker-compose.yml" -f "${WORK_DIR}/container.conf/production.yml" pull
ExecStart=/usr/local/bin/docker-compose -f "${WORK_DIR}/docker-compose.yml" -f "${WORK_DIR}/container.conf/production.yml" up -d
ExecStop=/usr/local/bin/docker-compose -f "${WORK_DIR}/docker-compose.yml" -f "${WORK_DIR}/container.conf/production.yml" down

[Install]
WantedBy=docker.service

docker-compose.yml

version: '3.7'

services:
  bitwarden:
    image: bitwardenrs/server
    environment:
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups
    networks:
      - default
      - system_traefik
    restart: always
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - traefik.docker.network=system_traefik
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.entrypoints=websecure
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.tls=true
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.tls.certresolver=default
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.middlewares=default-security-headers@file
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.service=${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}
      - traefik.http.services.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.loadbalancer.server.port=80
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.entrypoints=websecure
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.tls=true
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.tls.certresolver=default
      - traefik.http.middlewares.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}-strip.stripprefix.prefixes=/notifications/hub
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.middlewares=default-security-headers@file,${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}-strip@docker
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.service=${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}
      - traefik.http.services.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.loadbalancer.server.port=3012
    volumes:
      - ./bw-data:/data

volumes:
  app-volume:

networks:
  system_traefik:
    external: true

production.yml

version: '3.7'

services:
  bitwarden:
    image: bitwardenrs/server:1.19.0-alpine
    labels:
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-${TRAEFIK_HASH}.rule=Host(`bitwarden.test.org`)
      - traefik.http.routers.${TRAEFIK_PROJECT}-${TRAEFIK_SERVICE_01}-ws-${TRAEFIK_HASH}.rule=Host(`bitwarden.test.org`) && Path(`/notifications/hub`)
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro