---
version: "3.8"

services:
  app:
    image: git.local-it.org/local-it/mitgliederverwaltung:latest
    networks:
      - proxy
      - internal
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=4001"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        ## Redirect from EXTRA_DOMAINS to DOMAIN
        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        ## Redirect HTTP to HTTPS
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
        - "coop-cloud.${STACK_NAME}.version="
    environment:
      DATABASE_HOST: db
      DATABASE_USER: mila
      DATABASE_NAME: mila
      DATABASE_PASSWORD_FILE: /run/secrets/db_password
      SECRET_KEY_BASE_FILE: /run/secrets/secret_key_base
      TOKEN_SIGNING_SECRET_FILE: /run/secrets/token_signing_secret
      PHX_HOST: "${DOMAIN}"
      PORT: "4001"
      PHX_SERVER: "true"
    secrets:
      - db_password
      - secret_key_base
      - token_signing_secret
    # healthcheck:
    #   test: ["/app/bin/mv", "eval", "IO.puts(:ok)"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    #   start_period: 60s

  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: mila
      POSTGRES_USER: mila
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
    volumes:
      - postgres_data:/var/lib/postgresql/data
    configs:
      - source: pg_backup
        target: /pg_backup.sh
        mode: 0555
    secrets:
      - db_password
    networks:
      - internal
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        backupbot.backup: "${ENABLE_BACKUPS:-true}"
        backupbot.backup.pre-hook: "/pg_backup.sh backup"
        backupbot.backup.volumes.postgres_data.path: "backup.sql"
        backupbot.restore.post-hook: '/pg_backup.sh restore'
    healthcheck:
      test: "pg_isready"
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 1m

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  secret_key_base:
    external: true
    name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}
  token_signing_secret:
    external: true
    name: ${STACK_NAME}_token_signing_secret_${SECRET_TOKEN_SIGNING_SECRET_VERSION}

configs:
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh

networks:
  proxy:
    external: true
  internal:

volumes:
  postgres_data: