Run vaultwarden as nobody

Caddyfile

@@ -25,7 +25,7 @@
   reverse_proxy /notifications/hub vaultwarden:3012
 
   # Proxy everything else to Rocket
-  reverse_proxy vaultwarden:80 {
+  reverse_proxy vaultwarden:8080 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}

docker-compose.yml

@@ -9,18 +9,18 @@ services:
       - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
       - DATABASE_URL=postgresql://vaultwarden:YOUR_POSTGRESQL_PASSWORD@postgres:5432/vaultwarden
       - ADMIN_TOKEN=YOUR_ADMIN_PASSWORD
+      - ROCKET_PORT=8080
     volumes:
       - vaultwarden:/data
     networks:
       - vaultwarden
       - postgres
+    user: nobody
     read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
       - ALL
-    cap_add:
-      - NET_BIND_SERVICE
 
   caddy:
     image: caddy:alpine