# Docker Compose file for testing Keycloak, Temporal, and Fedwiki integration
# Remember, this is for testing purposes only and not for production use

services:
  # Session Store
  valkey:
    image: valkey/valkey:8.1
    ports:
      - "${VALKEY_PORT:-6379}:6379"

  # Member Console DB
  postgres:
    image: postgres:18.1
    environment:
      - POSTGRES_USER=member_console
      - POSTGRES_PASSWORD=member_console
      - POSTGRES_DB=member_console
    volumes:
      - ./testdata/postgres:/var/lib/postgresql
    ports:
      - "${POSTGRES_PORT:-5432}:5432"

  # Identity Provider
  keycloak:
    image: quay.io/keycloak/keycloak:26.4.7
    command: start-dev
    environment:
      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
      - KC_HEALTH_ENABLED=true
      - KC_HOSTNAME=${KC_HOSTNAME:-keycloak.localhost}
      - KC_HOSTNAME_STRICT=false
    healthcheck:
      test:
        - "CMD-SHELL"
        - |
          exec 3<>/dev/tcp/127.0.0.1/9000;
          echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost:9000\r\nConnection: close\r\n\r\n" >&3;
          if cat <&3 | grep -q "\"status\": \"UP\""; then
            exit 0
          else
            exit 1
          fi
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      default:
        aliases:
          - ${KC_HOSTNAME:-keycloak.localhost}
    ports:
      - "${KEYCLOAK_PORT:-8080}:8080"

  # Seed Keycloak with clients, roles, and test users
  keycloak-seed:
    image: alpine/curl:latest
    depends_on:
      keycloak:
        condition: service_healthy
    volumes:
      - ./seed/keycloak/seed-keycloak.sh:/seed/seed-keycloak.sh:ro
    environment:
      - KC_URL=http://keycloak:8080
      - KC_ADMIN_USER=admin
      - KC_ADMIN_PASSWORD=admin
      - MC_BASE_URL=${MC_BASE_URL:-http://localhost:8081}
      - TEMPORAL_UI_URL=${TEMPORAL_UI_URL:-http://localhost:8233}
    entrypoint:
      [
        "/bin/sh",
        "-c",
        "apk add --no-cache jq bash >/dev/null 2>&1 && bash /seed/seed-keycloak.sh",
      ]
    networks:
      default:

  # Temporal
  temporal-db:
    image: postgres:18.1
    environment:
      - POSTGRES_USER=temporal
      - POSTGRES_PASSWORD=temporal
      - POSTGRES_DB=temporal
    volumes:
      - ./testdata/temporal:/var/lib/postgresql

  temporal:
    image: temporalio/auto-setup:1.29.1
    depends_on:
      - temporal-db
    command: "autosetup"
    environment:
      - SERVICES=frontend:history:matching:worker:internal-frontend
      - DB=postgres12
      - DB_PORT=5432
      - POSTGRES_USER=temporal
      - POSTGRES_PWD=temporal
      - POSTGRES_SEEDS=temporal-db
      - SKIP_DEFAULT_NAMESPACE_CREATION=true
      - TEMPORAL_AUTH_AUTHORIZER=default
      - TEMPORAL_AUTH_CLAIM_MAPPER=default
      - TEMPORAL_JWT_KEY_SOURCE1=http://${KC_HOSTNAME:-keycloak.localhost}:8080/realms/master/protocol/openid-connect/certs
      - USE_INTERNAL_FRONTEND=true
    ports:
      - "${TEMPORAL_PORT:-7233}:7233"

  temporal-admin-tools:
    image: temporalio/admin-tools:1.29
    depends_on:
      - temporal
    environment:
      - TEMPORAL_ADDRESS=temporal:7236
      - TEMPORAL_CLI_ADDRESS=temporal:7236

  # Registers the "default" namespace via the internal frontend (port 7236
  # bypasses JWT auth). Idempotent: a "namespace already exists" failure is
  # treated as success. Runs once on `up` and exits.
  temporal-seed:
    image: temporalio/admin-tools:1.29
    depends_on:
      - temporal
    environment:
      - TEMPORAL_ADDRESS=temporal:7236
      - TEMPORAL_CLI_ADDRESS=temporal:7236
    restart: "no"
    entrypoint:
      - /bin/sh
      - -c
      - |
        set -eu
        for i in $$(seq 1 60); do
          if temporal operator namespace describe -n default >/dev/null 2>&1; then
            echo "namespace 'default' already exists"; exit 0
          fi
          out=$$(temporal operator namespace create -n default --retention 24h 2>&1) && rc=0 || rc=$$?
          echo "$$out"
          if [ "$$rc" -eq 0 ]; then
            echo "namespace 'default' created"; exit 0
          fi
          if echo "$$out" | grep -q "already exists"; then
            echo "namespace 'default' already exists"; exit 0
          fi
          echo "waiting for temporal frontend... ($$i/60)"; sleep 2
        done
        echo "ERROR: temporal-seed gave up" >&2; exit 1

  temporal-ui:
    image: temporalio/ui:2.41.0
    depends_on:
      temporal:
        condition: service_started
      keycloak:
        condition: service_healthy
    environment:
      - TEMPORAL_ADDRESS=temporal:7233
      - TEMPORAL_UI_PORT=8233
      - TEMPORAL_CORS_ORIGINS=${TEMPORAL_UI_URL:-http://localhost:8233}
      - TEMPORAL_AUTH_ENABLED=true
      - TEMPORAL_AUTH_PROVIDER_URL=http://${KC_HOSTNAME:-keycloak.localhost}:${KEYCLOAK_PORT:-8080}/realms/master
      - TEMPORAL_AUTH_ISSUER_URL=http://${KC_HOSTNAME:-keycloak.localhost}:${KEYCLOAK_PORT:-8080}/realms/master
      - TEMPORAL_AUTH_CLIENT_ID=temporal-ui
      - TEMPORAL_AUTH_CLIENT_SECRET=HtRpQ1qZKuauyAqVV0x7r10a1YhVePy9
      - TEMPORAL_AUTH_CALLBACK_URL=${TEMPORAL_UI_URL:-http://localhost:8233}/auth/sso/callback
      - TEMPORAL_AUTH_SCOPES=openid,profile,email
      - LOG_LEVEL=debug
    ports:
      - "${TEMPORAL_UI_PORT:-8233}:8233"

  # FedWiki
  fedwiki-init:
    image: busybox
    # Copy seed tree, then strip render.sh and *.tpl files — those are
    # rendered into /data by the fedwiki-render service after KC seed.
    # chown to uid 1000 so the fedwiki container's `node` user can mkdir
    # site subdirs (pages/, recycle/, ...) at runtime.
    command: sh -c 'cp -rn /seed/. /data/ && find /data -name "*.tpl" -delete && rm -f /data/render.sh && chown -R 1000:1000 /data'
    volumes:
      - ./seed/fedwiki:/seed:ro
      - ./testdata/fedwiki:/data

  # Resolves real Keycloak UUIDs and templates seed/fedwiki/*.tpl into
  # testdata/fedwiki/. Must run after keycloak-seed completes (users
  # exist) and after fedwiki-init completes (directory structure in
  # place). Writes files as root; fedwiki-init's chown -R 1000:1000
  # runs first, but any files this service writes will be root-owned.
  # The fedwiki node user (uid 1000) needs read-only access to these,
  # which 644/755 root-owned files satisfy.
  fedwiki-render:
    image: alpine/curl:latest
    depends_on:
      keycloak-seed:
        condition: service_completed_successfully
      fedwiki-init:
        condition: service_completed_successfully
    volumes:
      - ./seed/fedwiki:/seed:ro
      - ./testdata/fedwiki:/data
    environment:
      - KC_URL=http://keycloak:8080
      - KC_REALM=master
      - KC_ADMIN_USER=admin
      - KC_ADMIN_PASSWORD=admin
    entrypoint:
      [
        "/bin/sh",
        "-c",
        "apk add --no-cache jq gettext >/dev/null 2>&1 && sh /seed/render.sh",
      ]
    networks:
      default:

  fedwiki:
    image: git.coopcloud.tech/wiki-cafe/fedwiki-oci-image:0.39.4-2
    depends_on:
      fedwiki-init:
        condition: service_completed_successfully
      fedwiki-render:
        condition: service_completed_successfully
    # Unfortunately, fedwiki shits itself if you don't use port 80 when using passportjs
    command: wiki -p 80 --farm --security_type composable --auth_provider wiki-security-passportjs --authz_enhancers wiki-plugin-useraccesstokens
    volumes:
      - ./testdata/fedwiki:/home/node/.wiki
    ports:
      - "${FEDWIKI_PORT:-80}:80"