---
services:
  app:
    image: weblate/weblate:5.12.2.3
    networks:
      - proxy
      - backend
    read_only: true
    environment:
      WEBLATE_SITE_DOMAIN: "${DOMAIN}"
      WEBLATE_ENABLE_HTTPS: 1
      WEBLATE_IP_PROXY_HEADER: HTTP_X_FORWARDED_FOR
      WEBLATE_DEBUG:
      WEBLATE_LOGLEVEL:
      WEBLATE_SITE_TITLE:
      WEBLATE_ADMIN_NAME:
      WEBLATE_ADMIN_EMAIL:
      WEBLATE_ADMIN_PASSWORD_FILE: /run/secrets/weblate_admin_password
      WEBLATE_SERVER_EMAIL:
      WEBLATE_DEFAULT_FROM_EMAIL:
      WEBLATE_ALLOWED_HOSTS: "*"
      WEBLATE_TIME_ZONE:
      CLIENT_MAX_BODY_SIZE:
      # Login
      WEBLATE_REGISTRATION_OPEN:
      WEBLATE_REGISTRATION_ALLOW_BACKENDS:
      # Cache
      # https://docs.weblate.org/en/latest/admin/install.html#production-cache
      REDIS_HOST: cache
      REDIS_PORT: 6379
      # Database
      POSTGRES_HOST: db
      POSTGRES_USER: weblate
      POSTGRES_DB: weblate
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
      # TODO: needed for Weblate 5.4.x and older containers
      POSTGRES_DATABASE: weblate
      # Email
      WEBLATE_EMAIL_HOST:
      WEBMAIL_EMAIL_HOST_USER:
    volumes:
      - weblate-data:/app/data
      - weblate-cache:/app/cache
      - type: tmpfs
        target: /run
      - type: tmpfs
        target: /tmp
    secrets:
      - weblate_admin_password
      - db_password
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        ## Redirect from EXTRA_DOMAINS to DOMAIN
        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        ## Redirect HTTP to HTTPS
        # - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
        # - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
        ## When you're ready for release, run "abra recipe sync <name>" to set this
        - "coop-cloud.${STACK_NAME}.version=0.1.0+5.12.2.3"
        ## Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
        # - "backupbot.backup=true"
        # - "backupbot.backup.path=/some/path"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/healthz/"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m

  cache:
    image: redis:8-alpine
    volumes:
      - redis-data:/data
    command: [redis-server, --save, '60', '1']
    networks:
      - backend
    read_only: true

  db:
    image: postgres:17-alpine
    environment:
      POSTGRES_USER: weblate
      POSTGRES_DB: weblate
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
    secrets:
      - db_password
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - backend

volumes:
  weblate-cache:
  weblate-data:
  postgres-data:
  redis-data:

networks:
  backend:
  proxy:
    external: true

secrets:
  weblate_admin_password:
    external: true
    name: ${STACK_NAME}_weblate_admin_password_${SECRET_WEBLATE_ADMIN_PASSWORD_VERSION}
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}