---
version: "3.8"

services:
  web:
    image: nginx:1.21.0
    environment:
      - STACK_NAME=${STACK_NAME}
      - DOMAIN=${DOMAIN}
    configs:
      - source: nginx_conf
        target: /etc/nginx/nginx.conf
    networks:
      - proxy
      - internal
    deploy:
      update_config:
        failure_action: rollback
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.kcp.loadbalancer.server.port=80"
        - "traefik.http.routers.kcp.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.kcp.entrypoints=web-secure"
        - "traefik.http.routers.kcp.tls.certresolver=production"

  app:
    image: "decentral1se/keycloak-collective-portal:latest"
    environment:
      - APP_SECRET_KEY_FILE=/run/secrets/app_secret_key
      - KEYCLOAK_CLIENT_ID
      - KEYCLOAK_CLIENT_SECRET_FILE=/run/secrets/keycloak_client_secret
      - KEYCLOAK_DOMAIN
      - KEYCLOAK_REALM
    secrets:
      - app_secret_key
      - keycloak_client_secret
    networks:
      - internal
    configs:
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
        mode: 0555
    entrypoint: /usr/local/bin/entrypoint.sh
    command: |
      uvicorn
      -k uvicorn.workers.UvicornWorker
      --host 0.0.0.0
      --forwarded-allow-ips='*'
      --proxy-headers keycloak_collective_portal:app

networks:
  proxy:
    external: true
  internal:
    internal: true

configs:
  nginx_conf:
    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
    file: nginx.conf.tmpl
    template_driver: golang
  entrypoint_sh:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang

secrets:
  app_secret_key:
    external: true
    name: ${STACK_NAME}_app_secret_key_${SECRET_APP_SECRET_KEY}
  keycloak_client_secret:
    external: true
    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}