version: '3.8'
services:
  app:
    image: kimai/kimai2:apache-2.15.0-prod
    environment:
      - APP_ENV=prod
      - TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
      - TRUSTED_PROXIES=localhost,traefik,127.0.0.1
      - ADMINMAIL=admin@kimai.local
      - ADMINPASS_FILE=/run/secrets/admin_password
      - DATABASE_TYPE=mysql
      - DATABASE_HOST=db
      - DATABASE_NAME=kimai?charset=utf8mb4&serverVersion=5.7
      - DATABASE_USER=kimai
      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
      - DOMAIN
      - SSO_ENABLED
      - SSO_PROVIDER_URL
      - SSO_SAML_URL
      - SSO_LOGOUT_URL
      - SSO_CERT
    volumes:
      - kimai_public:/opt/kimai/public
      - kimai_var:/opt/kimai/var
    networks:
      - internal
      - proxy
    configs:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
      - source: local_conf
        target: /opt/kimai/config/packages/local.yaml
    secrets:
      - db_password
      - admin_password
    depends_on:
      - db
    entrypoint: /docker-entrypoint.sh
    #healthcheck:
    #  test: curl -s -o /dev/null http://localhost:8001 || exit 1
    #  interval: 20s
    #  start_period: 10s
    #  timeout: 10s
    #  retries: 3
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8001"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.version=1.0.0+apache-2.15.0-prod"
  db:
    image: mysql:5.7
    environment:
      - MYSQL_DATABASE=kimai
      - MYSQL_USER=kimai
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
    volumes:
      - mariadb:/var/lib/mysql
    networks:
      - internal
    secrets:
      - db_password
      - db_root_password
    command: --default-storage-engine innodb
    #healthcheck:
    #  test: mysqladmin -pchangemeplease ping -h localhost
    #  interval: 20s
    #  start_period: 10s
    #  timeout: 10s
    #  retries: 3
    deploy:
      labels:
        - "backupbot.backup=true"
        - "backupbot.backup.pre-hook=sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" kimai > /var/lib/mysql/backup.sql'"
        - "backupbot.backup.post-hook=rm -f /var/lib/mysql/backup.sql"
        - "backupbot.backup.path=/var/lib/mysql/backup.sql"

volumes:
  kimai_var:
  kimai_public:
  mariadb:


secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  db_root_password:
    external: true
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  admin_password:
    external: true
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}

networks:
  proxy:
    external: true
  internal:


configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  local_conf:
    name: ${STACK_NAME}_local_config_${LOCAL_CONF_VERSION}
    file: local.yaml.tmpl
    template_driver: golang