---
version: "3.8"

services:
  web:
    image: nginx:1.25.3
    networks:
      - proxy
      - internal
    environment:
      - DOMAIN
      - STACK_NAME
      - NGINX_ACCESS_LOG_LOCATION
      - NGINX_ERROR_LOG_LOCATION
    configs:
      - source: nginx_config
        target: /etc/nginx/nginx.conf
      - source: wk_server
        target: /var/www/.well-known/matrix/server
      - source: wk_client
        target: /var/www/.well-known/matrix/client
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
    healthcheck:
      test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
      interval: 5s
      timeout: 3s
      retries: 20

  app:
    image: "matrixdotorg/synapse:v1.100.0"
    volumes:
      - "data:/data"
    secrets:
      - db_password
      - registration
      - macaroon
      - form_secret
    environment:
      - ALLOWED_LIFETIME_MAX
      - ALLOW_PUBLIC_ROOMS_FEDERATION
      - AUTO_JOIN_ROOM
      - AUTO_JOIN_ROOM_ENABLED
      - DISABLE_FEDERATION
      - DOMAIN
      - ENABLE_3PID_LOOKUP
      - ENABLE_ALLOWLIST
      - ENABLE_REGISTRATION
      - ENCRYPTED_BY_DEFAULT
      - FEDERATION_ALLOWLIST
      - LETSENCRYPT_HOST=${DOMAIN}
      - MEDIA_RETENTION_LOCAL_LIFETIME
      - MEDIA_RETENTION_REMOTE_LIFETIME
      - PASSWORD_LOGIN_ENABLED
      - REDACTION_RETENTION_PERIOD
      - RETENTION_MAX_LIFETIME
      - ROOT_LOG_LEVEL
      - SERVE_SERVER_WELLKNOWN
      - SQL_LOG_LEVEL
      - STACK_NAME
      - SYNAPSE_ADMIN_EMAIL
      - SYNAPSE_REPORT_STATS=no
      - SYNAPSE_SERVER_NAME=${DOMAIN}
      - USER_IPS_MAX_AGE
      - VIRTUAL_HOST=${DOMAIN}
      - VIRTUAL_PORT=8008
      - LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
      - LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
      - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
      - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
    networks:
      - internal
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: homeserver_yaml
        target: /data/homeserver.yaml
      - source: log_config
        target: /data/log.config
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "coop-cloud.${STACK_NAME}.version=6.0.2+v1.100.0"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m

  db:
    image: postgres:13-alpine
    secrets:
      - db_password
    environment:
      - LC_COLLATE=C
      - LC_CTYPE=C
      - POSTGRES_DB=synapse
      - POSTGRES_INITDB_ARGS="-E \"UTF8\""
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_USER=synapse
      - DOMAIN
    networks:
      - internal
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "synapse"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    volumes:
      - postgres:/var/lib/postgresql/data
    deploy:
      labels:
          backupbot.backup: "true"
          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
          backupbot.backup.path: "/var/lib/postgresql/data"

volumes:
  data:
  postgres:

networks:
  proxy:
    external: true
  internal:

configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  homeserver_yaml:
    name: ${STACK_NAME}_homeserver_yaml_${HOMESERVER_YAML_VERSION}
    file: homeserver.yaml.tmpl
    template_driver: golang
  log_config:
    name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION}
    file: log.config.tmpl
    template_driver: golang
  nginx_config:
    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
    file: nginx.conf.tmpl
    template_driver: golang
  wk_server:
    name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION}
    file: well_known_server.conf.tmpl
    template_driver: golang
  wk_client:
    name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
    file: well_known_client.conf.tmpl
    template_driver: golang

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  registration:
    external: true
    name: ${STACK_NAME}_registration_${SECRET_REGISTRATION_VERSION}
  macaroon:
    external: true
    name: ${STACK_NAME}_macaroon_${SECRET_MACAROON_VERSION}
  form_secret:
    external: true
    name: ${STACK_NAME}_form_secret_${SECRET_FORM_SECRET_VERSION}