---
version: "3.8"

services:
  app:
    image: "decentral1se/keycloak-collective-portal:latest"
    environment:
      - APP_SECRET_KEY_FILE=/run/secrets/app_secret_key
      - KEYCLOAK_CLIENT_ID
      - KEYCLOAK_CLIENT_SECRET_FILE=/run/secrets/keycloak_client_secret
      - KEYCLOAK_DOMAIN
      - KEYCLOAK_REALM
    secrets:
      - app_secret_key
      - keycloak_client_secret
    networks:
      - proxy
    configs:
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
        mode: 0555
    entrypoint: /usr/local/bin/entrypoint.sh
    deploy:
      update_config:
        failure_action: rollback
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.kcp.loadbalancer.server.port=8000"
        - "traefik.http.routers.kcp.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.kcp.entrypoints=web-secure"
        - "traefik.http.routers.kcp.tls.certresolver=production"
    command: |
      uvicorn
      --host 0.0.0.0
      --forwarded-allow-ips="*"
      --proxy-headers
      keycloak_collective_portal:app

networks:
  proxy:
    external: true

configs:
  entrypoint_sh:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang

secrets:
  app_secret_key:
    external: true
    name: ${STACK_NAME}_app_secret_key_${SECRET_APP_SECRET_KEY}
  keycloak_client_secret:
    external: true
    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}