# =============================================================================
# Infisical - Secret Management Platform
# =============================================================================
# Deploy on Netcup RS 8000: /opt/infisical/
#
# Setup:
#   1. Copy this file to /opt/infisical/ on Netcup
#   2. Create .env with required secrets (see .env.example)
#   3. docker compose up -d
#   4. Add DNS CNAME: secrets.jeffemmett.com -> tunnel
#   5. Add tunnel hostname in /root/cloudflared/config.yml
#   6. Visit https://secrets.jeffemmett.com to complete setup
#

services:
  infisical:
    image: infisical/infisical:latest
    container_name: infisical
    restart: always
    environment:
      - ENCRYPTION_KEY=${INFISICAL_ENCRYPTION_KEY}
      - AUTH_SECRET=${INFISICAL_AUTH_SECRET}
      - DB_CONNECTION_URI=postgresql://infisical:${INFISICAL_DB_PASS}@infisical-db:5432/infisical
      - REDIS_URL=redis://infisical-redis:6379
      - SITE_URL=https://secrets.jeffemmett.com
      - SMTP_HOST=mailcowdockerized-postfix-mailcow-1
      - SMTP_PORT=587
      - SMTP_FROM_ADDRESS=noreply@rmail.online
      - SMTP_FROM_NAME=rSpace Secrets
      - SMTP_USERNAME=noreply@rmail.online
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - SMTP_TLS_REJECT_UNAUTHORIZED=false
      - NODE_TLS_REJECT_UNAUTHORIZED=0
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.infisical.rule=Host(`secrets.jeffemmett.com`)"
      - "traefik.http.routers.infisical.entrypoints=web"
      - "traefik.http.services.infisical.loadbalancer.server.port=8080"
      - "traefik.docker.network=traefik-public"
    networks:
      - traefik-public
      - infisical-internal
      - mailcow-network
    depends_on:
      infisical-db:
        condition: service_healthy
      infisical-redis:
        condition: service_healthy

  infisical-db:
    image: postgres:16-alpine
    container_name: infisical-db
    restart: always
    environment:
      POSTGRES_PASSWORD: ${INFISICAL_DB_PASS}
      POSTGRES_USER: infisical
      POSTGRES_DB: infisical
    volumes:
      - infisical-pgdata:/var/lib/postgresql/data
    networks:
      - infisical-internal
    healthcheck:
      test: pg_isready -U infisical -d infisical
      interval: 10s
      timeout: 3s
      retries: 3
    cap_drop:
      - ALL
    cap_add:
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    security_opt:
      - no-new-privileges:true

  infisical-redis:
    image: redis:7.2-alpine
    container_name: infisical-redis
    restart: always
    healthcheck:
      test: redis-cli ping
      interval: 10s
      timeout: 3s
      retries: 3
    networks:
      - infisical-internal
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
    security_opt:
      - no-new-privileges:true

volumes:
  infisical-pgdata:

networks:
  traefik-public:
    external: true
  infisical-internal:
    internal: true
  mailcow-network:
    external: true
    name: mailcowdockerized_mailcow-network