---
version: '3.9'

services:
  postgres:
    image: postgres:15
    restart: always
    environment:
      - "POSTGRES_DB={{ auth.db.name }}"
      - "POSTGRES_USER={{ auth.db.user }}"
      - "POSTGRES_PASSWORD={{ auth.db.password }}"
    volumes:
      - pg_data:/var/lib/postgresql/data
    networks:
      - backend
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-U", "keycloak"]
      interval: 10s
      timeout: 5s
      retries: 5

  keycloak:
    image: registry.tobiasmanske.de/keycloak:main
    command: start
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      - "KC_DB=postgres"
      - "KC_DB_URL_HOST=postgres"
      - "KC_DB_URL_DATABASE={{ auth.db.name }}"
      - "KC_DB_USERNAME={{ auth.db.user }}"
      - "KC_DB_PASSWORD={{ auth.db.password }}"
      - "KEYCLOAK_ADMIN={{ auth.keycloak.user }}"
      - "KEYCLOAK_ADMIN_PASSWORD={{ auth.keycloak.password }}"
      - "KC_PROXY=edge"
      - "KC_HOSTNAME=auth.tobiasmanske.de"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.rule=Host(`auth.tobiasmanske.de`)"
      - "traefik.http.routers.keycloak.entryPoints=websecure"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
    restart: always
    networks:
      - backend
      - default # keycloak needs to talk to social logins

networks:
  backend:
    internal: true

volumes:
  pg_data:
...