services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel-int'
      - 'caddyNet'
    container_name: zitadel
    image: 'ghcr.io/zitadel/zitadel:latest' # Consider pinning to a specific version for stability, e.g., v2.55.0
    #command: 'start-from-init --masterkeyFromEnv --tlsMode disabled'
    command: 'start-from-init --masterkey "61y21g7fTXN5zr0uztan2sOSVFfj40y0ylK19ju9mB8=" --tlsMode disabled'
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db  # <-- FIX 1: Use the service name 'db'
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel #${ZITADEL_DBNAME}
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel #${DB_USER}
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel #${DB_PASSWORD}
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres #${DB_ADMIN_USER}
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres #${DB_ADMIN_PASSWORD}
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
      ZITADEL_EXTERNALSECURE: false
      ZITADEL_FIRSTINSTANCE_ORG_NAME: HomeLab
      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME: myname@gmail.com # ${ZITADEL_LOGIN_USER}
      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD: Log!nP@ssword #${ZITADEL_LOGIN_PASSWORD}
      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false
      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED: "true"
      ZITADEL_EXTERNALDOMAIN: subdomain.mydomain.com # ${ZITADEL_EXTERNALDOMAIN}
      ZITADEL_LOG_LEVEL: DEBUG

    depends_on:
      db:
        condition: 'service_healthy'
   # env_file:
   #   - .env
    ports:
      - '9980:8080'

  db:
    restart: 'always'
    image: postgres:17-alpine
    container_name: zitadel-db
    #user: "${PUID}:${PGID}" # <-- FIX 3: Add this back to prevent permission errors
    environment:
      POSTGRES_DB: zitadel #${ZITADEL_DBNAME}
      POSTGRES_USER: postgres # ${DB_ADMIN_USER}
      POSTGRES_PASSWORD: postgres #${DB_ADMIN_PASSWORD}
      PGUSER: postgres # ${DB_ADMIN_USER} # Ensures pg_isready uses the correct user
    networks:
      - 'zitadel-int'
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"] 
      #["CMD-SHELL", "pg_isready", "-d", "$${ZITADEL_DBNAME}", "-U", "$${DB_ADMIN_USER}"] # ["CMD-SHELL", "pg_isready -d ${ZITADEL_DBNAME}"] # <-- FIX 2: Simplify command to make it reliable
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'
    volumes:
      #- ${DB_LOCATION}:/var/lib/postgresql/data:rw
      - /volume1/docker/zitadel/db:/var/lib/postgresql/data:rw

networks:
  zitadel-int:
    driver: bridge
    name: zitadel-int
  caddyNet:
    external: true
    name: caddyNet