---
version: "3.8"

services:
  app:
    image: cryptpad/cryptpad:version-2026.2.0
    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
    command: ["npm", "start"]
    networks:
      - backend
    environment:
      - CRYPTPAD_ADMIN_KEYS
      - "CPAD_MAIN_DOMAIN=${DOMAIN}"
      - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}"
      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
      # A workaroung is disabling HTTP2 in Nginx
      - "CPAD_HTTP2_DISABLE=true"
      - "CPAD_TRUST_PROXY=1"
      - "CPAD_CONF=/cryptpad/config/config.js"
      # SSO plugin
      - SSO_PLUGIN_VERSION
      - "SSO_ENABLED=${SSO_ENABLED:-false}"
      - SSO_ENFORCED
      - SSO_PROVIDER_NAME
      - SSO_OIDC_URL
      - SSO_CLIENT_ID
      - SSO_JWT_ALG
    secrets:
      - sso_client_s
    volumes:
      - cryptpad_blob:/cryptpad/blob
      - cryptpad_block:/cryptpad/block
      - cryptpad_customize:/cryptpad/customize
      - cryptpad_data:/cryptpad/data
      - cryptpad_files:/cryptpad/datastore
      - cryptpad_config:/cryptpad/config/
      - cryptpad_plugins:/cryptpad/lib/plugins
    configs:
      - source: config_js
        target: /cryptpad/config/config.js
      - source: sso_entrypoint
        target: /sso-entrypoint.sh
        mode: 0755
      - source: sso_js
        target: /sso.js

    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=false"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "coop-cloud.${STACK_NAME}.version=0.5.1+v2026.2.0"
        - "backupbot.backup=true"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m

  web:
    image: nginx:1.29
    configs:
      - source: nginx_conf
        target: /etc/nginx/conf.d/default.conf
    networks:
      proxy:
      backend:
    depends_on:
      - app
    environment:
      - STACK_NAME
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"

networks:
  proxy:
    external: true
  backend:

volumes:
  cryptpad_blob:
  cryptpad_block:
  cryptpad_customize:
  cryptpad_data:
  cryptpad_files:
  cryptpad_config:
  cryptpad_plugins:

secrets:
  sso_client_s:
    external: true
    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}

configs:
  config_js:
    name: ${STACK_NAME}_config_${CONFIG_VERSION}
    file: config.js.tmpl
    template_driver: golang
  nginx_conf:
    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
    file: nginx.conf.tmpl
    template_driver: golang
  sso_entrypoint:
    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
    file: sso-entrypoint.sh
  sso_js:
    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
    file: sso.js.tmpl
    template_driver: golang