# https://github.com/photoview/photoview/blob/master/docker-compose%20example/docker-compose.example.yml
#
secrets:
  photoview_postgresql_password:
    file: "${SECRETSDIR}/photoview_postgresql_password"
  photoview_postgresql_database:
    file: "${SECRETSDIR}/photoview_postgresql_database"
  photoview_postgresql_username:
    file: "${SECRETSDIR}/photoview_postgresql_username"
  photoview_database_url:
    file: "${SECRETSDIR}/photoview_database_url"

networks:
  traefik-net:
    external: true
  postgres-net:
    external: true
 
services:
  photoview:
    image: photoview/photoview:latest
    hostname: "${APPLICATION_NAME}"
    env_file: .photoview.env
    user: "${PUID}:${MEDIA_PGID}"
    networks:
      - postgres-net
      - traefik-net
    secrets:
      - photoview_postgresql_database
      - photoview_postgresql_password
      - photoview_postgresql_username
      - photoview_database_url
    environment:
    # can't get photoview to work with docker secrets; remove when photoview work with docker secrets
      - PHOTOVIEW_POSTGRES_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@photoview_postgresql:${POSTGRES_DB_PORT}/${POSTGRES_DB}
    #  
    # for future photoview that supports docker secrets
    #  - PHOTOVIEW_POSTGRES_URL=postgres://$${POSTGRES_USER}:$${POSTGRES_PASSWORD}@photoview_postgresql:${POSTGRES_DB_PORT}/$${POSTGRES_DB}
    # OR as per single PHOTOVIEW_POSTGRES_URL_FILE entry in .photoview.env
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - "${DATADIR}/config:/etc/photoview"
      - "${DATADIR}/appdata:/home/photoview"
      - "${MEDIADIR}/Pictures/Photos:/photos:ro"
#      - "${DATADIR}/backups:/mnt/backups"
    restart: unless-stopped
    stop_grace_period: 10s
#    healthcheck:
#      test: [ "CMD", "bash", "-c", "[ $(curl -s -o /dev/null -w '%{http_code}' http://localhost:80/login) == '200' ]" ]
#      interval: 1m
#      timeout: 2s
#      retries: 5
#      start_period: 30s
    depends_on:
      postgresql:
        condition: service_healthy
    ## Security options for some restricted systems
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    ## Share hardware devices with FFmpeg (optional):
    devices:
      ## Uncomment next devices mappings if they are available in your host system
      ## Intel QSV
      # - "/dev/dri:/dev/dri"
      ## Nvidia CUDA
      - "/dev/nvidia0:/dev/nvidia0"
      - "/dev/nvidiactl:/dev/nvidiactl"
      - "/dev/nvidia-modeset:/dev/nvidia-modeset"
      # - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl"
      - "/dev/nvidia-uvm:/dev/nvidia-uvm"
      - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools"
      ## Video4Linux Video Encode Device (h264_v4l2m2m)
      # - "/dev/video11:/dev/video11"
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # http middlewares
      # ----------------
      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"  # we have global redirection, but added for good measure
      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"  # we have global redirection, but added for good measure
      #
      # http services
      # -------------
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
      #
      # http routers
      # ------------
      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      #
      # limit router to websecure ":443" entrypoint
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # set router to be dedicated to secure requests only for the host specified in match criteria 
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      # generate certificates using following certresolver
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"

  postgresql:
    image: postgres:16-alpine
    hostname: "${APPLICATION_NAME}_postgresql"
    shm_size: 128mb # https://hub.docker.com/_/postgres
    env_file: .postgresql.env
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      postgres-net:
          aliases: ["${APPLICATION_NAME}_postgresql"]
    secrets:
      - ${APPLICATION_NAME}_postgresql_database
      - ${APPLICATION_NAME}_postgresql_password
      - ${APPLICATION_NAME}_postgresql_username
    volumes:
      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
      - "${DATADIR}/pgbackups:/mnt/backups"