services:

  member-console:
    image: git.coopcloud.tech/wiki-cafe/member-console:2025-05-19t02z
    networks:
      - proxy
      - internal
    environment:
      - MC_BASE_URL=https://${DOMAIN}
      - MC_ENV
      - MC_PORT
      - MC_OIDC_SP_CLIENT_ID
      - MC_OIDC_SP_CLIENT_SECRET_FILE=/run/secrets/oidc_sp_client_secret
      - MC_OIDC_IDP_ISSUER_URL
      - MC_SESSION_SECRET_FILE=/run/secrets/session_secret
      - MC_CSRF_SECRET_FILE=/run/secrets/csrf_secret
    secrets:
      - oidc_sp_client_secret
      - session_secret
      - csrf_secret
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "caddy=${DOMAIN}"
        - "caddy.reverse_proxy={{upstreams 8080}}"
        - "caddy.tls.on_demand="
        - "backupbot.backup=true"

secrets:
  oidc_sp_client_secret:
    external: true
    name: ${STACK_NAME}_oidc_sp_client_secret
  session_secret:
    external: true
    name: ${STACK_NAME}_session_secret
  csrf_secret:
    external: true
    name: ${STACK_NAME}_csrf_secret

networks:
  proxy:
    external: true
  internal: