---
version: "3.8"

services:
  wordpress:
    image: "wordpress:5.5.1"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
      - backend
      - proxy
    environment:
      - WORDPRESS_DB_HOST=mariadb
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
      - WORDPRESS_DB_NAME=wordpress
      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
    secrets:
      - db_password
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=(Host(`ch.${DOMAIN}`, `${DOMAIN}`)"
        # 3wc: this rule works for routing, but not for generating certificates
        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"

  mariadb:
    image: "mariadb:10.5"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
      - backend
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
    secrets:
      - db_password
      - db_root_password

  backupbot:
    image: "decentral1se/backup-bot:0.0.1"
    networks:
      - backend
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    secrets:
      - source: backup_bot_ssh_key
        mode: 0400
      - backup_bot_password
      - db_password
    configs:
      - source: borgmatic_config_yml
        target: /etc/borgmatic/config.yaml
    environment:
      - BORGBASE_REPO="g067e243@g067e243.repo.borgbase.com:repo"
      - DB_HOST=mariadb
      - DB_TABLE=wordpress
      - DB_USER=wordpress
    deploy:
      mode: replicated
      replicas: 0
      labels:
        - "swarm.cronjob.enable=true"
        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
      restart_policy:
        condition: none

networks:
  backend:
    driver: overlay
  proxy:
    external: true

volumes:
  mariadb:
  wordpress_content:

configs:
  borgmatic_config_yml:
    name: borgmatic_config_yml_v6
    file: borgmatic.yml
    template_driver: golang

secrets:
  db_root_password:
    external: true
    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
  backup_bot_ssh_key:
    name: backup_bot_ssh_key_v1
    external: true
  backup_bot_password:
    name: backup_bot_password_v1
    external: true