services:
  # 1. Nginx is our tenant router once traffic arrives at our datacenter network its routed to a VM
  # 2. Traefik is our service router once traffic arrives at the VM

  traefik:
    image: "traefik:v3.4.4"
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false" 
      - "--entrypoints.web.address=:80" 
      - "--ping=true" 
    ports:
      - "80:80" # We only route http traffic, as our VMs only receive traffic from our private network
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/ping"]
      interval: 10s
      timeout: 3s
      retries: 3
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - lmd-dev-network
    container_name: lmd-dev-traefik

  postgres:
    image: postgres:15-alpine # Pinned for zitadel compatbility
    env_file:
      - ./postgres/.env
    restart: always
    ports:
      - "5432:5432" 
    volumes:
      - lmd-dev-postgres-data:/var/lib/postgresql/data
      - ./postgres:/docker-entrypoint-initdb.d
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
      interval: "10s"
      timeout: "30s"
      retries: 5
      start_period: "20s"
    container_name: lmd-dev-postgres
    networks:
      - lmd-dev-network

  zitadel:
    # The user needs to have permission to write to ./zitadel/machinekey or zitadel crashes
    user: "${UID:-1000}"
    image: "ghcr.io/zitadel/zitadel:v4.0.0"
    restart: "always"
    env_file:
      - ./zitadel/.env
    environment:
      - ZITADEL_EXTERNALDOMAIN=${TENANT_HOSTNAME_PREFIX}-auth.${DOMAIN_NAME}
    command: "start-from-init --masterkeyFromEnv"
    depends_on:
      postgres:
        condition: service_healthy
      traefik:
        condition: service_healthy
    volumes:
      - ./zitadel/machinekey:/machinekey # bind the generated machine key to a host directory for terraform 
    container_name: lmd-dev-zitadel
    networks:
      - lmd-dev-network
    healthcheck:
      test: ["CMD", "/app/zitadel", "ready"]
      interval: 5s
      timeout: 5s
      retries: 10
      start_period: 15s
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.zitadel.rule=Host(`${TENANT_HOSTNAME_PREFIX}-auth.${DOMAIN_NAME}`)"
      - "traefik.http.routers.zitadel.entrypoints=web"
      - "traefik.http.services.zitadel.loadbalancer.server.port=8080"
      - "traefik.http.services.zitadel.loadbalancer.server.scheme=h2c" # allow gRPC for terraform

networks:
  lmd-dev-network:
    driver: bridge

volumes:
  lmd-dev-postgres-data: