services:
  traefik:
    image: traefik:v2.11
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ./traefik/acme.json:/acme.json
    labels:
      - "traefik.enable=true"

  postgres:
    image: postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - ./pgdata:/var/lib/postgresql/data

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    restart: unless-stopped
    ports:
      - "8080"  # для доступа из других контейнеров и дебага
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: ${POSTGRES_DB}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
      KC_PROXY: edge
      KC_HTTP_ENABLED: true
      KC_HOSTNAME: keycloak.dev.d3h.space
      KC_HOSTNAME_STRICT: true
      KC_HOSTNAME_STRICT_HTTPS: true
      KC_PROXY_HEADERS: xforwarded
      KC_FRONTEND_URL: https://keycloak.dev.d3h.space
      KC_HOSTNAME_URL: https://keycloak.dev.d3h.space
    depends_on:
      - postgres
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.d3h.space`)"
      - "traefik.http.routers.keycloak.entrypoints=websecure"
      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
      - "traefik.http.routers.keycloak.middlewares=keycloak-https-headers"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Host=keycloak.dev.d3h.space"

      - "traefik.http.routers.keycloak-http.rule=Host(`keycloak.dev.d3h.space`)"
      - "traefik.http.routers.keycloak-http.entrypoints=web"
      - "traefik.http.routers.keycloak-http.middlewares=redirect-to-https"
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]