services:
  nginx:
    image: nginx:alpine
    restart: unless-stopped
    ports:
      - "80:80"
    volumes:
      - ./nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro
    environment:
      DOMAIN: ${DOMAIN:-localhost}
    env_file: ../.env.resolved
    networks:
      - ulti-net
    depends_on:
      ultid:
        condition: service_started
      authentik-server:
        condition: service_started

  ultid:
    build:
      context: ..
      dockerfile: Dockerfile
    restart: unless-stopped
    env_file: ../.env.resolved
    networks:
      - ulti-net
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost:8080/healthz"]
      interval: 5s
      timeout: 3s
      retries: 3
    depends_on:
      postgres:
        condition: service_healthy
      keydb:
        condition: service_healthy
      rustfs:
        condition: service_started

  postgres:
    image: postgres:16-alpine
    restart: unless-stopped
    env_file: ../.env.resolved
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh:ro
    networks:
      - ulti-net
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 10s

  keydb:
    image: eqalpha/keydb:latest
    restart: unless-stopped
    command: keydb-server --appendonly yes
    volumes:
      - keydb_data:/data
    networks:
      - ulti-net
    healthcheck:
      test: ["CMD", "keydb-cli", "-h", "127.0.0.1", "ping"]
      interval: 10s
      timeout: 3s
      retries: 5
      start_period: 10s

  rustfs:
    image: rustfs/rustfs:latest
    restart: unless-stopped
    command: server /data
    ports:
      - "9002:9000"
      - "9003:9001"
    environment:
      RUSTFS_ACCESS_KEY: ${RUSTFS_ACCESS_KEY}
      RUSTFS_SECRET_KEY: ${RUSTFS_SECRET_KEY}
    volumes:
      - rustfs_data:/data
    networks:
      - ulti-net

  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_POSTGRESQL__HOST}
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRESQL__USER}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRESQL__PASSWORD}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRESQL__NAME}
      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
      AUTHENTIK_WEB__PATH: /auth/
    env_file: ../.env.resolved
    networks:
      - ulti-net
    depends_on:
      postgres:
        condition: service_healthy
      keydb:
        condition: service_healthy

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_POSTGRESQL__HOST}
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRESQL__USER}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRESQL__PASSWORD}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRESQL__NAME}
      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
      AUTHENTIK_WEB__PATH: /auth/
    env_file: ../.env.resolved
    networks:
      - ulti-net
    depends_on:
      postgres:
        condition: service_healthy
      keydb:
        condition: service_healthy

networks:
  ulti-net:
    driver: bridge

volumes:
  postgres_data:
  keydb_data:
  rustfs_data: