version: "3.8"
services:
  app:
    image: quay.io/hedgedoc/hedgedoc:1.9.9
    environment:
      - CMD_USECDN=false
      - CMD_URL_ADDPORT=false
      - CMD_DOMAIN=$DOMAIN
      - CMD_PROTOCOL_USESSL=true
      - CMD_HSTS_ENABLE=false
      - CMD_DB_NAME=codimd
      - CMD_DB_USER=codimd
      - CMD_DB_HOST=db
      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
      - CMD_ALLOW_ANONYMOUS
      - CMD_ALLOW_ANONYMOUS_EDITS
      - CMD_ALLOW_EMAIL_REGISTER
      - CMD_ALLOW_FREEURL
      - CMD_ALLOW_GRAVATAR
      - CMD_ALLOW_ORIGIN
      - CMD_COOKIE_POLICY
      - CMD_CSP_ADD_DISQUS
      - CMD_CSP_ADD_GOOGLE_ANALYTICS
      - CMD_CSP_ENABLE
      - CMD_CSP_REPORTURI
      - CMD_DEFAULT_PERMISSION
      - CMD_EMAIL
      - CMD_SESSION_LIFE
      - DOCUMENT_MAX_LENGTH
    depends_on:
      - db
    networks:
      - proxy
      - internal
    volumes:
      - codimd_uploads:/home/hackmd/app/public/uploads
    secrets:
      - db_password
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
      - source: config_json
        target: /files/config.json
        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "coop-cloud.${STACK_NAME}.version=1.0.1+1.9.9"
    healthcheck:
      test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
  db:
    image: postgres:16.1-alpine
    environment:
      - POSTGRES_USER=codimd
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_DB=codimd
    volumes:
      - "postgres:/var/lib/postgresql/data"
    secrets:
      - db_password
    networks:
      - internal
    deploy:
      labels:
          backupbot.backup: "true"
          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
          backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
          backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
          backupbot.restore: "true"
          backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
volumes:
  postgres:
  codimd_uploads:
secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
networks:
  proxy:
    external: true
  internal:
configs:
  config_json:
    name: ${STACK_NAME}_config_${ENTRYPOINT_CONF_VERSION}
    file: config.json.tmpl
    template_driver: golang
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang