---
version: "3.8"

services:
  app:
    image: "decentral1se/keycloak-collective-portal:latest"
    environment:
      - APP_SECRET_KEY_FILE=/run/secrets/app_secret_key
      - APP_THEME
      - INVITE_TIME_LIMIT
      - KEYCLOAK_CLIENT_ID
      - KEYCLOAK_CLIENT_SECRET_FILE=/run/secrets/keycloak_client_secret
      - KEYCLOAK_DOMAIN
      - KEYCLOAK_REALM
      - REDIS_DB=0
      - REDIS_HOST=cache
      - REDIS_PORT=6379
    secrets:
      - app_secret_key
      - keycloak_client_secret
    networks:
      - proxy
      - internal
    configs:
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
        mode: 0555
    entrypoint: /usr/local/bin/entrypoint.sh
    healthcheck:
      test: curl --fail 0.0.0.0:8000/healthz || exit 1
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.kcp.loadbalancer.server.port=8000"
        - "traefik.http.routers.kcp.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.kcp.entrypoints=web-secure"
        - "traefik.http.routers.kcp.tls.certresolver=production"
    command: |
      uvicorn
      --host 0.0.0.0
      --forwarded-allow-ips="*"
      --proxy-headers
      keycloak_collective_portal.main:app

  cache:
    image: redis:6.2-alpine
    networks:
      - internal
    healthcheck:
      test: redis-cli ping
    volumes:
      - redis:/data

networks:
  proxy:
    external: true
  internal:
configs:
  entrypoint_sh:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang

secrets:
  app_secret_key:
    external: true
    name: ${STACK_NAME}_app_secret_key_${SECRET_APP_SECRET_KEY}
  keycloak_client_secret:
    external: true
    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}

volumes:
  redis: