version: "3.8"

services:
  app:
    image: "penpotapp/frontend:1.19.3"
    networks:
      - proxy
      - internal
    volumes:
      - penpot_assets:/opt/data
    depends_on:
      - penpot-backend
      - penpot-exporter
    environment:
      - PENPOT_FLAGS
    secrets:
      - db_password
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.version=2.0.1+1.19.3"

  penpot-backend:
    image: "penpotapp/backend:1.19.3"
    volumes:
      - penpot_assets:/opt/data
    depends_on:
      - penpot-postgres
      - penpot-redis
    environment:
      - PENPOT_FLAGS
      - PENPOT_PREPL_HOST=0.0.0.0 # I don't really understand what that is for
      - PENPOT_PUBLIC_URI=${DOMAIN}
      - PENPOT_SECRET_KEY_FILE=/run/secrets/secret_key
      - PENPOT_DATABASE_PASSWORD_FILE=/run/secrets/db_password
      - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot
      - PENPOT_DATABASE_USERNAME=penpot
      - PENPOT_REDIS_URI=redis://penpot-redis/0
      - PENPOT_SMTP_DEFAULT_FROM
      - PENPOT_SMTP_DEFAULT_REPLY_TO
      - PENPOT_SMTP_HOST
      - PENPOT_SMTP_PORT
      - PENPOT_SMTP_USERNAME
      - PENPOT_SMTP_PASSWORD
      - PENPOT_SMTP_TLS
      - PENPOT_SMTP_SSL
      - PENPOT_ASSETS_STORAGE_BACKEND
      - PENPOT_ASSETS_FS_DIRECTORY
      - PENPOT_STORAGE_ASSETS_S3_ENDPOINT
      - PENPOT_STORAGE_ASSETS_S3_BUCKET
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY
    secrets:
      - db_password
      - secret_key
    configs:
      - source: backend_entrypoint
        target: /docker-entrypoint.sh
        mode: 0555
    entrypoint: /docker-entrypoint.sh
    networks:
      - internal

  penpot-exporter:
    image: "penpotapp/exporter:1.19.3"
    environment:
      - PENPOT_PUBLIC_URI=http://app
      - PENPOT_REDIS_URI=redis://penpot-redis/0
    networks:
      - internal

  penpot-postgres:
    image: "postgres:16.2"
    stop_signal: SIGINT
    secrets:
      - db_password
    environment:
      - POSTGRES_INITDB_ARGS=--data-checksums
      - POSTGRES_DB=penpot
      - POSTGRES_USER=penpot
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
    volumes:
      - postgres:/var/lib/postgresql/data
    networks:
      - internal

  penpot-redis:
    image: redis:7.2.4
    networks:
      - internal

networks:
  internal:
  proxy:
    external: true

volumes:
  postgres:
  penpot_assets:

configs:
  backend_entrypoint:
    name: ${STACK_NAME}_backend_entrypoint_${BACKEND_ENTRYPOINT_CONF_VERSION}
    file: entrypoint-backend.sh

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  secret_key:
    external: true
    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
  smtp_password:
    external: true
    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}