services:
  # Keycloak part
  traefik:
    image: traefik:v2.11
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./../../../traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./../../../traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ./../../../traefik/acme.json:/acme.json
    labels:
      - "traefik.enable=true"

  postgres:
    image: postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - ./../../../pgdata:/var/lib/postgresql/data

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    restart: unless-stopped
    ports:
      - "8080"  # для доступа из других контейнеров и дебага
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: ${POSTGRES_DB}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
      KC_PROXY: edge
      KC_HTTP_ENABLED: true
      KC_HOSTNAME: keycloak.dev.d3h.space
      KC_HOSTNAME_STRICT: true
      KC_HOSTNAME_STRICT_HTTPS: true
      KC_PROXY_HEADERS: xforwarded
      KC_FRONTEND_URL: https://keycloak.dev.d3h.space
      KC_HOSTNAME_URL: https://keycloak.dev.d3h.space
    depends_on:
      - postgres
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.d3h.space`)"
      - "traefik.http.routers.keycloak.entrypoints=websecure"
      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
      - "traefik.http.routers.keycloak.middlewares=keycloak-https-headers"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Host=keycloak.dev.d3h.space"

      - "traefik.http.routers.keycloak-http.rule=Host(`keycloak.dev.d3h.space`)"
      - "traefik.http.routers.keycloak-http.entrypoints=web"
      - "traefik.http.routers.keycloak-http.middlewares=redirect-to-https"
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]


  # UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
      # OIDC
      - AUTH_AUDIENCE=netbird-client
      - AUTH_CLIENT_ID=netbird-client
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://keycloak.dev.d3h.space/realms/netbird
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      # - NGINX_SSL_PORT=443
      # Letsencrypt
      # - LETSENCRYPT_DOMAIN=dashboard.dev.d3h.space
      # - LETSENCRYPT_EMAIL=dv-d3h@outlook.com
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-dashboard.rule=Host(`dashboard.dev.d3h.space`)
      - traefik.http.routers.netbird-dashboard.entrypoints=web
      - traefik.http.routers.netbird-dashboard.middlewares=redirect-to-https
      - traefik.http.routers.netbird-dashboard-https.rule=Host(`dashboard.dev.d3h.space`)
      - traefik.http.routers.netbird-dashboard-https.entrypoints=websecure
      - traefik.http.routers.netbird-dashboard-https.tls.certresolver=letsencrypt
      - traefik.http.routers.netbird-dashboard-https.service=netbird-dashboard
      - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    #ports:
    #  - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-signal.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=dashboard.dev.d3h.space:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=tjJzDDOdYOpzBCGfhsn4XO+Yc5rV+/9FX/+cjjd0tJA
    # ports:
    #   - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-relay.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/relay`)
    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    #ports:
    #  - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "33073",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=dashboard.dev.d3h.space",
      "--dns-domain=netbird.selfhosted"
      ]
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=33073

    - traefik.http.routers.netbird-management.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=33073
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      - NETBIRD_STORE_ENGINE_MYSQL_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: dashboard.dev.d3h.space
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt: