---
version: "3.8"

services:
  app:
    image: discourse/discourse:3.5.3
    networks:
      - proxy
      - internal
    # official image CMD is /sbin/boot; wrapper injects the DB password secret first
    entrypoint: /usr/local/bin/cc-app-entrypoint.sh
    environment:
      - DISCOURSE_HOSTNAME=${DOMAIN}
      - DISCOURSE_DEVELOPER_EMAILS=${DISCOURSE_DEVELOPER_EMAILS}
      - DISCOURSE_DB_HOST=${STACK_NAME}_db
      - DISCOURSE_DB_PORT=5432
      - DISCOURSE_DB_NAME=discourse
      - DISCOURSE_DB_USERNAME=discourse
      - DISCOURSE_REDIS_HOST=${STACK_NAME}_redis
      - DISCOURSE_REDIS_PORT=6379
      - DISCOURSE_SMTP_ADDRESS
      - DISCOURSE_SMTP_PORT
      - DISCOURSE_SMTP_USER_NAME
      - DISCOURSE_SMTP_PASSWORD
      - DISCOURSE_SMTP_AUTHENTICATION
      - DISCOURSE_SMTP_ENABLE_START_TLS
      - DISCOURSE_NOTIFICATION_EMAIL
    volumes:
      - 'discourse_shared:/shared'
      # transition only: legacy bitnami volume, read-only, for one-time upload migration
      - 'discourse_data:/legacy:ro'
    secrets:
      - db_password
    configs:
      - source: app_entrypoint
        target: /usr/local/bin/cc-app-entrypoint.sh
        mode: 0555
      - source: app_install_ssl
        target: /etc/runit/1.d/install-ssl
        mode: 0555
      - source: app_migrate_uploads
        target: /etc/runit/1.d/02-migrate-bitnami-uploads
        mode: 0555
    depends_on:
      - db
      - redis
    deploy:
      update_config:
        failure_action: rollback
        order: stop-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "coop-cloud.${STACK_NAME}.version=1.0.0+3.5.3"
    healthcheck:
      test: "curl -fsS http://localhost/srv/status || exit 1"
      interval: 30s
      timeout: 10s
      retries: 6
      start_period: 25m

  db:
    # discourse/postgres = pgvector + discourse's postgres management layer, which
    # auto-upgrades an older cluster in place on boot (pg_upgrade into the versioned
    # PGDATA /var/lib/postgresql/${MAJOR}/docker). The cc-db-entrypoint wrapper
    # injects the password secret and detects the old cluster's install user.
    image: discourse/postgres:pg18
    networks:
      - internal
    secrets:
      - db_password
    volumes:
      # the image expects the whole cluster tree mounted here (not the data subdir);
      # an existing pg17 cluster at the volume root is found and upgraded into /18/docker
      - 'postgresql_data:/var/lib/postgresql'
    configs:
      - source: db_entrypoint
        target: /usr/local/bin/cc-db-entrypoint.sh
        mode: 0555
      - source: pg_backup
        target: /pg_backup.sh
        mode: 0555
    entrypoint: /usr/local/bin/cc-db-entrypoint.sh
    environment:
      # internal-only overlay network; keep all-trust so the app and the
      # backup/restore hooks connect without juggling the superuser password
      - POSTGRES_HOST_AUTH_METHOD=trust
      - POSTGRES_DB=discourse
      - DB_USER=discourse
    healthcheck:
      test: "pg_isready -U discourse -d discourse"
      interval: 30s
      timeout: 10s
      retries: 5
      # generous: a postgres major-version upgrade (apt install old binaries +
      # pg_upgrade) runs in the entrypoint before the server accepts connections —
      # don't let the healthcheck kill an in-progress migration
      start_period: 15m
    deploy:
      labels:
        backupbot.backup: "true"
        backupbot.backup.pre-hook: "/pg_backup.sh backup"
        backupbot.backup.volumes.postgresql_data.path: "backup.sql"
        backupbot.restore.post-hook: "/pg_backup.sh restore"

  redis:
    image: redis:7.4-alpine
    networks:
      - internal
    volumes:
      - 'redis_data:/data'
    healthcheck:
      test: "redis-cli ping | grep -q PONG"
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 30s

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}

volumes:
  postgresql_data:
  redis_data:
  discourse_shared:
  discourse_data:

networks:
  proxy:
    external: true
  internal:

configs:
  app_entrypoint:
    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
    file: cc-app-entrypoint.sh
  app_install_ssl:
    name: ${STACK_NAME}_app_install_ssl_${APP_INSTALL_SSL_VERSION}
    file: app-install-ssl.sh
  app_migrate_uploads:
    name: ${STACK_NAME}_app_migrate_uploads_${APP_MIGRATE_UPLOADS_VERSION}
    file: migrate-uploads.sh
  db_entrypoint:
    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
    file: cc-db-entrypoint.sh
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh