---
version: "3.8"

services:
  app:
    image: "decentral1se/pubspace:latest"
    environment:
      - APP_LOG_LEVEL
      - MASTODON_ACCESS_TOKEN_FILE=/run/secrets/access_token
      - MASTODON_API_BASE_URL
      - NEXTCLOUD_API_BASE_URL
      - NEXTCLOUD_APP_PASSWORD_FILE=/run/secrets/app_password
      - NEXTCLOUD_USER
    secrets:
      - access_token
      - app_password
    networks:
      - proxy
    configs:
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
        mode: 0555
    entrypoint: /usr/local/bin/entrypoint.sh
    healthcheck:
      test: curl --fail 0.0.0.0:8000/healthz || exit 1
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.pubspace.loadbalancer.server.port=8000"
        - "traefik.http.routers.pubspace.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.pubspace.entrypoints=web-secure"
        - "traefik.http.routers.pubspace.tls.certresolver=production"
    command: |
      uvicorn
      --host 0.0.0.0
      --forwarded-allow-ips="*"
      --proxy-headers
      pubspace:app

networks:
  proxy:
    external: true

configs:
  entrypoint_sh:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang

secrets:
  access_token:
    external: true
    name: ${STACK_NAME}_access_token_${SECRET_MASTODON_ACCESS_TOKEN}
  app_password:
    external: true
    name: ${STACK_NAME}_app_password_${SECRET_NEXTCLOUD_APP_PASSWORD}