---
version: '3'
services:
  database:
    image: postgres:13-alpine
    environment:
      - POSTGRES_USER={{ hedgedoc.db.user }}
      - POSTGRES_PASSWORD={{ hedgedoc.db.password }}
      - POSTGRES_DB={{ hedgedoc.db.name }}
    volumes:
      - database:/var/lib/postgresql/data
    restart: always
    networks:
      - backend
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5

  app:
    # Make sure to use the latest release from https://hedgedoc.org/latest-release
    image: quay.io/hedgedoc/hedgedoc:1.9.3
    environment:
      - CMD_DB_URL=postgres://{{ hedgedoc.db.user }}:{{ hedgedoc.db.password }}@database:5432/{{ hedgedoc.db.name }}
      - CMD_DOMAIN=doc.tobiasmanske.de
      - CMD_ALLOW_ORIGIN=doc.tobiasmanske.de,localhost
      - CMD_CSP_ENABLE=true
      - CMD_PROTOCOL_USESSL=true
      - CMD_PROTOCOL_USE_SSL=true
      - CMD_ALLOW_EMAIL_REGISTER=false
      - CMD_ALLOW_ANONYMOUS=false
      - CMD_ALLOW_ANONYMOUS_EDITS=true
      - CMD_ALLOW_FREEURL=true
      - CMD_DEFAULT_PERMISSION=private
      - CMD_SESSION_SECRET={{ hedgedoc.cmd.session_secret }}
      - CMD_OAUTH2_CLIENT_ID={{ hedgedoc.cmd.client_id }}
      - CMD_OAUTH2_CLIENT_SECRET={{ hedgedoc.cmd.client_secret }}
      - CMD_OAUTH2_AUTHORIZATION_URL={{ hedgedoc.cmd.authorization_url }}
      - CMD_OAUTH2_SCOPE=openid email profile
      - CMD_OAUTH2_TOKEN_URL={{ hedgedoc.cmd.token_url }}
      - CMD_OAUTH2_USER_PROFILE_URL={{ hedgedoc.cmd.user_profile_url }}
      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
      - CMD_OAUTH2_PROVIDERNAME=Keycloak
      - CMD_IMAGE_UPLOAD_TYPE=minio
      - CMD_MINIO_ACCESS_KEY={{ hedgedoc.cmd.s3.access_key }}
      - CMD_MINIO_SECRET_KEY={{ hedgedoc.cmd.s3.secret_key }}
      - CMD_MINIO_ENDPOINT={{ hedgedoc.cmd.s3.endpoint }}
      - CMD_MINIO_PORT={{ hedgedoc.cmd.s3.port }}
      - CMD_MINIO_SECURE={{ hedgedoc.cmd.s3.secure }}
      - CMD_S3_BUCKET=hedgedoc
      - CMD_S3_FOLDER=uploads
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hedgedoc.rule=Host(`doc.tobiasmanske.de`)"
      - "traefik.http.routers.hedgedoc.middlewares=deny-metrics@file"
      - "traefik.http.routers.hedgedoc.entryPoints=websecure"
      - "traefik.http.services.hedgedoc.loadbalancer.server.port=3000"
      - "prometheus-scrape.enabled=true"
      - "prometheus-scrape.port=3000"
    depends_on:
      database:
        condition: service_healthy
    networks:
      - backend
      - metrics
      - default # oauth

volumes:
  database:

networks:
  backend:
    internal: true
  metrics:
    external: true
...