---
version: "3.8"

# Matrix Authentication Service (MAS) — optional overlay for Element X / OIDC-native auth.

services:
  mas:
    image: ghcr.io/element-hq/matrix-authentication-service:1.14.0
    command: ["server", "--config=/etc/mas/config.yaml"]
    environment:
      - DOMAIN
      - SERVER_NAME
      - STACK_NAME
    networks:
      - internal
    configs:
      - source: mas_config
        target: /etc/mas/config.yaml
    secrets:
      - db_password
      - mas_encryption
      - mas_synapse_shared
      - mas_signing_rsa
    # Official image is distroless (no curl/wget); upstream suggests `mas-cli config check` for probes.
    # See https://github.com/element-hq/matrix-authentication-service/issues/3741 — validates config, not HTTP.
    # GET /health is still served (resource `health` in mas.config.yaml.tmpl) for probes from other images.
    healthcheck:
      test:
        [
          "CMD",
          "/usr/local/bin/mas-cli",
          "--config",
          "/etc/mas/config.yaml",
          "config",
          "check",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    deploy:
      restart_policy:
        condition: on-failure

  app:
    secrets:
      - mas_synapse_shared

configs:
  mas_config:
    name: ${STACK_NAME}_mas_config_${MAS_CONFIG_VERSION}
    file: mas.config.yaml.tmpl
    template_driver: golang

secrets:
  mas_encryption:
    external: true
    name: ${STACK_NAME}_mas_encryption_${SECRET_MAS_ENCRYPTION_VERSION}
  mas_synapse_shared:
    external: true
    name: ${STACK_NAME}_mas_synapse_shared_${SECRET_MAS_SYNAPSE_SHARED_VERSION}
  mas_signing_rsa:
    external: true
    name: ${STACK_NAME}_mas_signing_rsa_${SECRET_MAS_SIGNING_RSA_VERSION}