services:
  passbolt-db:
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-db
    image: mariadb:12
    restart: always
#    env_file:
#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: ${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD}
      MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
      MYSQL_USER: ${PASSBOLT_DB_USER}
      MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
    secrets:
      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
    networks:
      - passbolt
    healthcheck:
      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s
    labels:
       - "io.portainer.accesscontrol.public"

  passbolt-webapp:
    image: passbolt/passbolt:latest-ce
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-webapp
    restart: always
    depends_on:
      - passbolt-db
#    env_file:
#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
      APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL}
      DATASOURCES_DEFAULT_HOST: ${PASSBOLT_DATASOURCES_DEFAULT_HOST}
      DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
      DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: ${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}
    secrets:
      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
      - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "passbolt-db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    networks:
      - traefik
      - passbolt
    labels:
      - "traefik.http.routers.passbolt.rule=Host(`passbolt.lan.ddnsgeek.com`)"
      - "traefik.enable=true"
      - "traefik.http.routers.passbolt.entrypoints=websecure"
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.docker.network=core_traefik"
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
      interval: 30s
      timeout: 10s
      retries: 6
      start_period: 120s

networks:
  passbolt:

secrets:
  passbolt_db_password:
    file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt