---
services:
  traefik:
    networks:
      opencloud-net:
        aliases:
          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}

  opencloud:
    environment:
      # Keycloak IDP specific configuration
      PROXY_AUTOPROVISION_ACCOUNTS: "false"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
      PROXY_USER_OIDC_CLAIM: "uuid"
      PROXY_USER_CS3_CLAIM: "userid"
      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account"
      # admin and demo accounts must be created in Keycloak
      OC_ADMIN_USER_ID: ""
      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}

  postgres:
    image: postgres:alpine
    networks:
      opencloud-net:
    volumes:
      - keycloak_postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

  keycloak:
    image: quay.io/keycloak/keycloak:25.0.0
    networks:
      opencloud-net:
    command: ["start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"]
    entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"]
    volumes:
      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
    environment:
      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
      KC_DB: postgres
      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak
      KC_FEATURES: impersonation
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.entrypoints=https"
      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
      - "traefik.http.routers.keycloak.tls.certresolver=http"
      - "traefik.http.routers.keycloak.service=keycloak"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
    depends_on:
      - postgres
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

volumes:
  keycloak_postgres_data: