---
version: "3.8"

services:
  app:
    image: ghcr.io/bluesky-social/pds:0.4
    networks:
      - internal
    environment:
      - PDS_HOSTNAME=${DOMAIN}
      - PDS_DATA_DIRECTORY=/pds
      - PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks
      - PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}
      - PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL:-}
      - PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS:-}
      - PDS_INVITE_REQUIRED=${PDS_INVITE_REQUIRED:-true}
      - LOG_ENABLED=${LOG_ENABLED:-true}
    entrypoint:
      - "dumb-init"
      - "--"
    command:
      - "/entrypoint.sh"
    configs:
      - source: entrypoint
        target: /entrypoint.sh
        mode: 0555
    secrets:
      - pds_jwt_secret
      - pds_admin_password
      - pds_plc_rotation_key
    volumes:
      - pds_data:/pds
    deploy:
      restart_policy:
        condition: on-failure
        max_attempts: 5
      labels:
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "coop-cloud.${STACK_NAME}.version=0.2.0+v0.4"
        - "backupbot.backup=true"
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/xrpc/_health"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 30s

  caddy:
    image: caddy:2
    networks:
      - proxy
      - internal
    environment:
      - DOMAIN=${DOMAIN}
    configs:
      - source: caddyfile
        target: /etc/caddy/Caddyfile
    volumes:
      - caddy_data:/data
    deploy:
      restart_policy:
        condition: on-failure
        max_attempts: 5
      labels:
        - "traefik.enable=true"
        - "traefik.swarm.network=proxy"
        - "traefik.tcp.routers.${STACK_NAME}.rule=HostSNI(`${DOMAIN}`) || HostSNIRegexp(`^.+\\.${DOMAIN}$$`)"
        - "traefik.tcp.routers.${STACK_NAME}.ruleSyntax=v3"
        - "traefik.tcp.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.tcp.routers.${STACK_NAME}.tls.passthrough=true"
        - "traefik.tcp.services.${STACK_NAME}.loadbalancer.server.port=443"

networks:
  proxy:
    external: true
  internal:

volumes:
  pds_data:
  caddy_data:

secrets:
  pds_jwt_secret:
    external: true
    name: ${STACK_NAME}_pds_jwt_secret_${SECRET_PDS_JWT_SECRET_VERSION}
  pds_admin_password:
    external: true
    name: ${STACK_NAME}_pds_admin_password_${SECRET_PDS_ADMIN_PASSWORD_VERSION}
  pds_plc_rotation_key:
    external: true
    name: ${STACK_NAME}_pds_plc_rotation_key_${SECRET_PDS_PLC_ROTATION_KEY_VERSION}

configs:
  entrypoint:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  caddyfile:
    name: ${STACK_NAME}_caddyfile_${CADDYFILE_VERSION}
    file: Caddyfile