version: "3.8"
services:
  app:
    image: quay.io/hedgedoc/hedgedoc:1.9.3
    environment:
      - CMD_USECDN=false
      - CMD_URL_ADDPORT=false
      - CMD_DOMAIN=$DOMAIN
      - CMD_PROTOCOL_USESSL=true
      - CMD_HSTS_ENABLE=false
      - CMD_DB_NAME=codimd
      - CMD_DB_USER=codimd
      - CMD_DB_HOST=db
      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
      - CMD_ALLOW_ANONYMOUS
      - CMD_ALLOW_ANONYMOUS_EDITS
      - CMD_ALLOW_EMAIL_REGISTER
      - CMD_ALLOW_FREEURL
      - CMD_ALLOW_GRAVATAR
      - CMD_ALLOW_ORIGIN
      - CMD_COOKIE_POLICY
      - CMD_CSP_ADD_DISQUS
      - CMD_CSP_ADD_GOOGLE_ANALYTICS
      - CMD_CSP_ENABLE
      - CMD_CSP_REPORTURI
      - CMD_DEFAULT_PERMISSION
      - CMD_EMAIL
      - CMD_SESSION_LIFE
    depends_on:
      - db
    networks:
      - proxy
      - internal
    volumes:
      - codimd_uploads:/home/hackmd/app/public/uploads
    secrets:
      - db_password
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - coop-cloud.${STACK_NAME}.version=0.3.0+1.9.3
    healthcheck:
      test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
  db:
    image: postgres:11.15-alpine
    environment:
      - POSTGRES_USER=codimd
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_DB=codimd
    volumes:
      - "postgres:/var/lib/postgresql/data"
    secrets:
      - db_password
    networks:
      - internal
    deploy:
      labels:
          backupbot.backup: "true"
          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
          backupbot.backup.post-hook: "rm -rf /tmp/backup"
          backupbot.backup.path: "/tmp/backup/"
volumes:
  postgres:
  codimd_uploads:
secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
networks:
  proxy:
    external: true
  internal:
configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang