services:
  postiz-cc:
    image: ghcr.io/gitroomhq/postiz-app:latest
    container_name: postiz-cc
    restart: unless-stopped
    entrypoint: ["/infisical-entrypoint.sh"]
    command: ["docker-entrypoint.sh", "sh", "-c", "nginx && pnpm run pm2"]
    environment:
      # === Infisical secret injection ===
      INFISICAL_CLIENT_ID: "${INFISICAL_CLIENT_ID}"
      INFISICAL_CLIENT_SECRET: "${INFISICAL_CLIENT_SECRET}"
      INFISICAL_PROJECT_SLUG: "postiz-crypto-commons"
      INFISICAL_ENV: "prod"
      INFISICAL_URL: "http://infisical:8080"
      # === Config (not secrets) ===
      MAIN_URL: "https://socials.crypto-commons.org"
      FRONTEND_URL: "https://socials.crypto-commons.org"
      NEXT_PUBLIC_BACKEND_URL: "https://socials.crypto-commons.org/api"
      DATABASE_URL: "postgresql://postiz:${POSTGRES_PASSWORD}@postiz-cc-postgres:5432/postiz"
      REDIS_URL: "redis://postiz-cc-redis:6379"
      BACKEND_INTERNAL_URL: "http://localhost:3000"
      TEMPORAL_ADDRESS: "postiz-cc-temporal:7233"
      IS_GENERAL: "true"
      DISABLE_REGISTRATION: "true"
      STORAGE_PROVIDER: "local"
      UPLOAD_DIRECTORY: "/uploads"
      NEXT_PUBLIC_UPLOAD_DIRECTORY: "/uploads"
      # === OAuth config (client_id/secret come from Infisical) ===
      POSTIZ_GENERIC_OAUTH: "true"
      NEXT_PUBLIC_POSTIZ_OAUTH_DISPLAY_NAME: "Pocket ID"
      NEXT_PUBLIC_POSTIZ_OAUTH_LOGO_URL: "https://raw.githubusercontent.com/pocket-id/pocket-id/refs/heads/main/frontend/static/img/static-logo.svg"
      POSTIZ_OAUTH_URL: "https://auth.jeffemmett.com"
      POSTIZ_OAUTH_AUTH_URL: "https://auth.jeffemmett.com/authorize"
      POSTIZ_OAUTH_TOKEN_URL: "https://auth.jeffemmett.com/api/oidc/token"
      POSTIZ_OAUTH_USERINFO_URL: "https://auth.jeffemmett.com/api/oidc/userinfo"
      # === Email config (EMAIL_PASS comes from Infisical) ===
      EMAIL_PROVIDER: "nodemailer"
      EMAIL_FROM_NAME: "Crypto Commons"
      EMAIL_FROM_ADDRESS: "noreply@rmail.online"
      EMAIL_HOST: "mailcowdockerized-postfix-mailcow-1"
      EMAIL_PORT: "587"
      EMAIL_SECURE: "false"
      EMAIL_USER: "noreply@rmail.online"
      NODE_TLS_REJECT_UNAUTHORIZED: "0"
      API_LIMIT: 30
      NX_ADD_PLUGINS: false
    volumes:
      - postiz-cc-config:/config/
      - postiz-cc-uploads:/uploads/
      - /opt/infisical/entrypoint-wrapper.sh:/infisical-entrypoint.sh:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.postiz-cc.rule=Host(`socials.crypto-commons.org`) || Host(`socials.valleyofthecommons.com`)"
      - "traefik.http.routers.postiz-cc.entrypoints=web,websecure"
      - "traefik.http.services.postiz-cc.loadbalancer.server.port=5000"
      - "traefik.docker.network=traefik-public"
    networks:
      - traefik-public
      - postiz-cc-internal
      - mailcow-network
    depends_on:
      postiz-cc-postgres:
        condition: service_healthy
      postiz-cc-redis:
        condition: service_healthy
      postiz-cc-temporal:
        condition: service_started

  postiz-cc-postgres:
    image: postgres:17-alpine
    container_name: postiz-cc-postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
      POSTGRES_USER: postiz
      POSTGRES_DB: postiz
    volumes:
      - postiz-cc-postgres-data:/var/lib/postgresql/data
    networks:
      - postiz-cc-internal
    healthcheck:
      test: pg_isready -U postiz -d postiz
      interval: 10s
      timeout: 3s
      retries: 3

  postiz-cc-redis:
    image: redis:7.2
    container_name: postiz-cc-redis
    restart: unless-stopped
    healthcheck:
      test: redis-cli ping
      interval: 10s
      timeout: 3s
      retries: 3
    volumes:
      - postiz-cc-redis-data:/data
    networks:
      - postiz-cc-internal

  postiz-cc-elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.24
    container_name: postiz-cc-elasticsearch
    restart: unless-stopped
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    volumes:
      - postiz-cc-elasticsearch-data:/usr/share/elasticsearch/data
    networks:
      - postiz-cc-internal
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9200/_cluster/health"]
      interval: 30s
      timeout: 10s
      retries: 5

  postiz-cc-temporal-postgres:
    image: postgres:16
    container_name: postiz-cc-temporal-postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: temporal
      POSTGRES_USER: temporal
    networks:
      - postiz-cc-internal
    volumes:
      - postiz-cc-temporal-postgres-data:/var/lib/postgresql/data

  postiz-cc-temporal:
    image: temporalio/auto-setup:1.28.1
    container_name: postiz-cc-temporal
    restart: unless-stopped
    depends_on:
      - postiz-cc-temporal-postgres
      - postiz-cc-elasticsearch
    environment:
      - DB=postgres12
      - DB_PORT=5432
      - POSTGRES_USER=temporal
      - POSTGRES_PWD=temporal
      - POSTGRES_SEEDS=postiz-cc-temporal-postgres
      - ENABLE_ES=true
      - ES_SEEDS=postiz-cc-elasticsearch
      - ES_VERSION=v7
      - TEMPORAL_NAMESPACE=default
    networks:
      - postiz-cc-internal

volumes:
  postiz-cc-postgres-data:
  postiz-cc-redis-data:
  postiz-cc-config:
  postiz-cc-uploads:
  postiz-cc-temporal-postgres-data:
  postiz-cc-elasticsearch-data:

networks:
  traefik-public:
    external: true
  postiz-cc-internal:
    driver: bridge
  mailcow-network:
    external: true
    name: mailcowdockerized_mailcow-network