---
version: "3.8"

services:
  web:
    image: nginx:1.20.0
    networks:
      - proxy
      - internal
    environment:
      - DISABLE_FEDERATION
      - DOMAIN
      - STACK_NAME
    configs:
      - source: nginx_config
        target: /etc/nginx/nginx.conf
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "coop-cloud.${STACK_NAME}.version=0.1.0+v1.48.0"

  app:
    image: "matrixdotorg/synapse:v1.48.0"
    volumes:
      - "data:/data"
    secrets:
      - db_password
      - registration_shared_secret
      - macaroon_secret_key
      - form_secret
    environment:
      - DISABLE_FEDERATION
      - DOMAIN
      - LETSENCRYPT_HOST=${DOMAIN}
      - SYNAPSE_ADMIN_EMAIL
      - SYNAPSE_REPORT_STATS=no
      - SYNAPSE_SERVER_NAME=${DOMAIN}
      - VIRTUAL_HOST=${DOMAIN}
      - VIRTUAL_PORT=8008
    networks:
      - internal
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: homeserver_yaml
        target: /data/homeserver.yaml
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
        delay: "60s"
        max_attempts: 3
        window: 120s

  db:
    image: postgres:13-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_DB: synapse
      POSTGRES_USER: synapse
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
      # https://matrix-org.github.io/synapse/latest/postgres.html#set-up-database
      POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
    networks:
      - internal
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "synapse"]
    volumes:
      - postgres:/var/lib/postgresql/data

volumes:
  data:
  postgres:

networks:
  proxy:
    external: true
  internal:

configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  homeserver_yaml:
    name: ${STACK_NAME}_homserver_yaml_${HOMESERVER_YAML_VERSION}
    file: homeserver.yaml.tmpl
    template_driver: golang
  nginx_config:
    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
    file: nginx.conf.tmpl
    template_driver: golang

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  registration_shared_secret:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
  macaroon_secret_key:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
  form_secret:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}