services:
  frontend:
    image: git.federspiel.tech/flfeders/fedeo/frontend:dev
    restart: always
    environment:
      - NUXT_PUBLIC_API_BASE=https://app.fedeo.de/backend
      - NUXT_PUBLIC_PDF_LICENSE=eyJkYXRhIjoiZXlKMElqb2laR1YyWld4dmNHVnlJaXdpWVhaMUlqb3hOemt3TmpNNU9UazVMQ0prYlNJNkltRndjQzVtWldSbGJ5NWtaU0lzSW00aU9pSXpOemt3Wm1Vek5UazBZbVU0TlRRNElpd2laWGh3SWpveE56a3dOak01T1RrNUxDSmtiWFFpT2lKemNHVmphV1pwWXlJc0luQWlPaUoyYVdWM1pYSWlmUT09Iiwic2lnbmF0dXJlIjoicWU4K0ZxQUJDNUp5bEJUU094Vkd5RTJMbk9UNmpyc2EyRStsN2tNNWhkM21KK2ZvVjYwaTFKeFdhZGtqSDRNWXZxQklMc0dpdWh5d2pMbUFjRHZuWGxOcTRMcXFLRm53dzVtaG1LK3lTeDRXbzVaS1loK1VZdFBzWUZjV3oyUHVGMmJraGJrVjJ6RzRlTGtRU09wdmJKY3JUZU1rN0N1VkN6Q1UraHF5T0ZVVXllWnRmaHlmcWswZEFFL0RMR1hvTDFSQXFjNkNkYU9FTDRTdC9Idy9DQnFieTE2aisvT3RxQUlLcy9NWTR6SVk3RTI3bWo4RUx5VjhXNkdXNXhqc0VUVzNKN0RRMUVlb3RhVlNLT29kc3pVRlhUYzVlbHVuSm04ZlcwM1ErMUhtSnpmWGoyS1dwM1dnamJDazZYSHozamFML2lOdUYvZFZNaWYvc2FoR3NnPT0ifQ==
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=3000"
      # Middlewares
      - "traefik.http.middlewares.fedeo-frontend-redirect-web-secure.redirectscheme.scheme=https"
      # Web Entrypoint
      - "traefik.http.routers.fedeo-frontend.middlewares=fedeo-frontend-redirect-web-secure"
      - "traefik.http.routers.fedeo-frontend.rule=Host(`app.fedeo.de`) && PathPrefix(`/`)"
      - "traefik.http.routers.fedeo-frontend.entrypoints=web"
      - "traefik.http.routers.fedeo-frontend.priority=1"
      # Web Secure Entrypoint
      - "traefik.http.routers.fedeo-frontend-secure.rule=Host(`app.fedeo.de`) && PathPrefix(`/`)"
      - "traefik.http.routers.fedeo-frontend-secure.entrypoints=web-secured" #
      - "traefik.http.routers.fedeo-frontend-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-frontend-secure.priority=1"
  docs:
    image: git.federspiel.tech/flfeders/fedeo/docs:dev
    restart: always
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=3000"
      # Middlewares
      - "traefik.http.middlewares.fedeo-docs-redirect-web-secure.redirectscheme.scheme=https"
      - "traefik.http.middlewares.fedeo-docs-strip.stripprefix.prefixes=/docs"
      # Web Entrypoint
      - "traefik.http.routers.fedeo-docs.middlewares=fedeo-docs-redirect-web-secure"
      - "traefik.http.routers.fedeo-docs.rule=Host(`app.fedeo.de`) && PathPrefix(`/docs`)"
      - "traefik.http.routers.fedeo-docs.entrypoints=web"
      - "traefik.http.routers.fedeo-docs.priority=120"
      # Web Secure Entrypoint
      - "traefik.http.routers.fedeo-docs-secure.rule=Host(`app.fedeo.de`) && PathPrefix(`/docs`)"
      - "traefik.http.routers.fedeo-docs-secure.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-docs-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-docs-secure.middlewares=fedeo-docs-strip"
      - "traefik.http.routers.fedeo-docs-secure.priority=120"
  backend:
    image: git.federspiel.tech/flfeders/fedeo/backend:dev
    restart: always
    environment:
      - INFISICAL_CLIENT_ID=a6838bd6-9983-4bf4-9be2-ace830b9abdf
      - INFISICAL_CLIENT_SECRET=4e3441acc0adbffd324aa50e668a95a556a3f55ec6bb85954e176e35a3392003
      - NODE_ENV=production
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=3100"
      # Middlewares
      - "traefik.http.middlewares.fedeo-backend-redirect-web-secure.redirectscheme.scheme=https"
      - "traefik.http.middlewares.fedeo-backend-strip.stripprefix.prefixes=/backend"
      # Web Entrypoint
      - "traefik.http.routers.fedeo-backend.middlewares=fedeo-backend-redirect-web-secure"
      - "traefik.http.routers.fedeo-backend.rule=Host(`app.fedeo.de`) && PathPrefix(`/backend`)"
      - "traefik.http.routers.fedeo-backend.entrypoints=web"
      # Web Secure Entrypoint
      - "traefik.http.routers.fedeo-backend-secure.rule=Host(`app.fedeo.de`) && PathPrefix(`/backend`)"
      - "traefik.http.routers.fedeo-backend-secure.entrypoints=web-secured" #
      - "traefik.http.routers.fedeo-backend-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-backend-secure.middlewares=fedeo-backend-strip"
  matrix-db:
    image: postgres:16-alpine
    restart: unless-stopped
    profiles:
      - matrix
    environment:
      - POSTGRES_DB=${MATRIX_POSTGRES_DB:-synapse}
      - POSTGRES_USER=${MATRIX_POSTGRES_USER:-synapse}
      - POSTGRES_PASSWORD=${MATRIX_POSTGRES_PASSWORD:-change-this-matrix-db-password}
      - POSTGRES_INITDB_ARGS=--encoding=UTF8 --lc-collate=C --lc-ctype=C
    volumes:
      - ./matrix/postgres:/var/lib/postgresql/data
    networks:
      - traefik

  matrix-redis:
    image: redis:7-alpine
    restart: unless-stopped
    profiles:
      - matrix
    networks:
      - traefik

  matrix-synapse:
    image: ghcr.io/element-hq/synapse:latest
    restart: unless-stopped
    profiles:
      - matrix
    depends_on:
      - matrix-db
      - matrix-redis
    environment:
      - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
    volumes:
      - ./matrix/synapse:/data
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=8008"
      - "traefik.http.services.fedeo-matrix.loadbalancer.server.port=8008"
      # Matrix Client-Server API
      - "traefik.http.routers.fedeo-matrix.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix`)"
      - "traefik.http.routers.fedeo-matrix.entrypoints=web"
      - "traefik.http.routers.fedeo-matrix.middlewares=fedeo-matrix-redirect-web-secure"
      - "traefik.http.routers.fedeo-matrix.service=fedeo-matrix"
      - "traefik.http.middlewares.fedeo-matrix-redirect-web-secure.redirectscheme.scheme=https"
      - "traefik.http.routers.fedeo-matrix-secure.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix`)"
      - "traefik.http.routers.fedeo-matrix-secure.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-matrix-secure.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-matrix-secure.service=fedeo-matrix"
      # Matrix Federation API, nur öffnen wenn Federation gewünscht ist.
      - "traefik.http.routers.fedeo-matrix-federation.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix/federation`)"
      - "traefik.http.routers.fedeo-matrix-federation.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-matrix-federation.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-matrix-federation.service=fedeo-matrix"

  matrix-well-known:
    image: nginx:1.27-alpine
    restart: unless-stopped
    profiles:
      - matrix
    volumes:
      - ./matrix/well-known:/usr/share/nginx/html/.well-known/matrix:ro
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=80"
      - "traefik.http.services.fedeo-matrix-well-known.loadbalancer.server.port=80"
      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=*"
      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowheaders=Content-Type,Authorization"
      - "traefik.http.routers.fedeo-matrix-well-known.rule=Host(`${MATRIX_SERVER_NAME:-fedeo.de}`) && PathPrefix(`/.well-known/matrix`)"
      - "traefik.http.routers.fedeo-matrix-well-known.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-matrix-well-known.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-matrix-well-known.middlewares=fedeo-matrix-well-known-cors"
      - "traefik.http.routers.fedeo-matrix-well-known.service=fedeo-matrix-well-known"

  matrix-turn:
    image: instrumentisto/coturn:4
    restart: unless-stopped
    profiles:
      - matrix
    command:
      - --fingerprint
      - --use-auth-secret
      - --static-auth-secret=${MATRIX_TURN_SHARED_SECRET:-change-this-turn-secret}
      - --realm=${MATRIX_SERVER_NAME:-fedeo.de}
      - --listening-port=3478
      - --tls-listening-port=5349
      - --min-port=49160
      - --max-port=49200
      - --no-cli
      - --no-tlsv1
      - --no-tlsv1_1
    ports:
      - "3478:3478/tcp"
      - "3478:3478/udp"
      - "5349:5349/tcp"
      - "49160-49200:49160-49200/udp"
    networks:
      - traefik

  matrix-livekit:
    image: livekit/livekit-server:v1.9
    restart: unless-stopped
    profiles:
      - matrix
    depends_on:
      - matrix-redis
    entrypoint: /bin/sh
    command:
      - -ec
      - |
        cat >/tmp/livekit.yaml <<EOF
        port: 7880
        redis:
          address: matrix-redis:6379
        rtc:
          tcp_port: 7881
          port_range_start: 50000
          port_range_end: 50100
          use_external_ip: true
        keys:
          ${LIVEKIT_KEY:-fedeo-livekit}: ${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
        room:
          auto_create: false
        EOF
        exec /livekit-server --config /tmp/livekit.yaml
    ports:
      - "7881:7881/tcp"
      - "50000-50100:50000-50100/udp"
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=7880"
      - "traefik.http.services.fedeo-matrix-livekit.loadbalancer.server.port=7880"
      - "traefik.http.middlewares.fedeo-matrix-livekit-strip.stripprefix.prefixes=/livekit/sfu"
      - "traefik.http.routers.fedeo-matrix-livekit.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/sfu`)"
      - "traefik.http.routers.fedeo-matrix-livekit.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-matrix-livekit.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-matrix-livekit.middlewares=fedeo-matrix-livekit-strip"
      - "traefik.http.routers.fedeo-matrix-livekit.service=fedeo-matrix-livekit"

  matrix-rtc-jwt:
    image: ghcr.io/element-hq/lk-jwt-service:latest
    restart: unless-stopped
    profiles:
      - matrix
    depends_on:
      - matrix-livekit
      - matrix-synapse
    environment:
      - LIVEKIT_URL=wss://${MATRIX_RTC_HOST:-call.fedeo.de}/livekit/sfu
      - LIVEKIT_KEY=${LIVEKIT_KEY:-fedeo-livekit}
      - LIVEKIT_SECRET=${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
      - LIVEKIT_FULL_ACCESS_HOMESERVERS=${MATRIX_SERVER_NAME:-fedeo.de}
      - LIVEKIT_JWT_BIND=:8080
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.port=8080"
      - "traefik.http.services.fedeo-matrix-rtc-jwt.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.fedeo-matrix-rtc-jwt-strip.stripprefix.prefixes=/livekit/jwt"
      - "traefik.http.routers.fedeo-matrix-rtc-jwt.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/jwt`)"
      - "traefik.http.routers.fedeo-matrix-rtc-jwt.entrypoints=web-secured"
      - "traefik.http.routers.fedeo-matrix-rtc-jwt.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.fedeo-matrix-rtc-jwt.middlewares=fedeo-matrix-rtc-jwt-strip"
      - "traefik.http.routers.fedeo-matrix-rtc-jwt.service=fedeo-matrix-rtc-jwt"

  matrix-dev-db:
    image: postgres:16-alpine
    restart: unless-stopped
    profiles:
      - matrix-dev
    environment:
      - POSTGRES_DB=synapse
      - POSTGRES_USER=synapse
      - POSTGRES_PASSWORD=synapse-dev-password
      - POSTGRES_INITDB_ARGS=--encoding=UTF8 --lc-collate=C --lc-ctype=C
    volumes:
      - ./matrix/dev/postgres:/var/lib/postgresql/data
    networks:
      - traefik

  matrix-dev-redis:
    image: redis:7-alpine
    restart: unless-stopped
    profiles:
      - matrix-dev
    networks:
      - traefik

  matrix-dev-synapse:
    image: ghcr.io/element-hq/synapse:latest
    restart: unless-stopped
    profiles:
      - matrix-dev
    depends_on:
      - matrix-dev-db
      - matrix-dev-redis
    environment:
      - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
    volumes:
      - ./matrix/dev/synapse:/data
    ports:
      - "${MATRIX_DEV_SYNAPSE_PORT:-8008}:8008"
    networks:
      - traefik

  matrix-dev-turn:
    image: instrumentisto/coturn:4
    restart: unless-stopped
    profiles:
      - matrix-dev
    command:
      - --fingerprint
      - --use-auth-secret
      - --static-auth-secret=matrix-dev-turn-secret
      - --realm=localhost
      - --listening-port=3478
      - --min-port=49160
      - --max-port=49200
      - --no-cli
      - --no-tls
      - --no-dtls
    ports:
      - "${MATRIX_DEV_TURN_PORT:-3478}:3478/tcp"
      - "${MATRIX_DEV_TURN_PORT:-3478}:3478/udp"
      - "${MATRIX_DEV_TURN_MIN_PORT:-49160}-${MATRIX_DEV_TURN_MAX_PORT:-49200}:49160-49200/udp"
    networks:
      - traefik

  matrix-dev-livekit:
    image: livekit/livekit-server:v1.9
    restart: unless-stopped
    profiles:
      - matrix-dev
    depends_on:
      - matrix-dev-redis
    entrypoint: /bin/sh
    command:
      - -ec
      - |
        cat >/tmp/livekit.yaml <<EOF
        port: 7880
        redis:
          address: matrix-dev-redis:6379
        rtc:
          tcp_port: 7881
          port_range_start: 50000
          port_range_end: 50100
          use_external_ip: false
        keys:
          devkey: devsecret-local-matrix-stack-32-chars
        room:
          auto_create: false
        EOF
        exec /livekit-server --config /tmp/livekit.yaml
    ports:
      - "${MATRIX_DEV_LIVEKIT_PORT:-7880}:7880"
      - "${MATRIX_DEV_LIVEKIT_TCP_PORT:-7881}:7881/tcp"
      - "${MATRIX_DEV_LIVEKIT_RTC_MIN_PORT:-50000}-${MATRIX_DEV_LIVEKIT_RTC_MAX_PORT:-50100}:50000-50100/udp"
    networks:
      - traefik

  matrix-dev-rtc-jwt:
    image: ghcr.io/element-hq/lk-jwt-service:latest
    restart: unless-stopped
    profiles:
      - matrix-dev
    depends_on:
      - matrix-dev-livekit
      - matrix-dev-synapse
    environment:
      - LIVEKIT_URL=ws://localhost:${MATRIX_DEV_LIVEKIT_PORT:-7880}
      - LIVEKIT_KEY=devkey
      - LIVEKIT_SECRET=devsecret-local-matrix-stack-32-chars
      - LIVEKIT_FULL_ACCESS_HOMESERVERS=localhost
      - LIVEKIT_JWT_BIND=:8080
    ports:
      - "${MATRIX_DEV_RTC_JWT_PORT:-8081}:8080"
    networks:
      - traefik

  matrix-dev-element:
    image: vectorim/element-web:latest
    restart: unless-stopped
    profiles:
      - matrix-dev
    volumes:
      - ./matrix/dev/element-config.json:/app/config.json:ro
    ports:
      - "${MATRIX_DEV_ELEMENT_PORT:-8080}:80"
    networks:
      - traefik
  #  db:
  #    image: postgres
  #    restart: always
  #    shm_size: 128mb
  #    environment:
  #      POSTGRES_PASSWORD: abc
  #      POSTGRES_USER: sandelcom
  #      POSTGRES_DB: sensorfy
  #    volumes:
  #      - ./pg-data:/var/lib/postgresql/data
  #    ports:
  #      - "5432:5432"
  traefik:
    image: traefik:v2.11
    restart: unless-stopped
    container_name: traefik
    command:
      - "--api.insecure=false"
      - "--api.dashboard=false"
      - "--api.debug=false"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web-secured.address=:443"
      - "--accesslog=true"
      - "--accesslog.filepath=/logs/access.log"
      - "--accesslog.bufferingsize=5000"
      - "--accesslog.fields.defaultMode=keep"
      - "--accesslog.fields.headers.defaultMode=keep"
      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true" #
      - "--certificatesresolvers.mytlschallenge.acme.email=moin@fedeo.de"
      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    volumes:
      - "./traefik/letsencrypt:/letsencrypt" # <== Volume for certs (TLS)
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/logs:/logs"
    networks:
      - traefik
networks:
  traefik:
    external: false