services:
  passbolt-db:
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-db
    image: mariadb:12
    restart: always
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD}"
      MYSQL_DATABASE: "${PASSBOLT_MYSQL_DATABASE}"
      MYSQL_USER: "${PASSBOLT_MYSQL_USER}"
      MYSQL_PASSWORD: "${PASSBOLT_MYSQL_PASSWORD}"
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
    networks:
      - passbolt
    healthcheck:
      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s
    labels:
       - "io.portainer.accesscontrol.public"


  passbolt-webapp:
    image: passbolt/passbolt:latest-ce
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-webapp
    #Alternatively you can use rootless:
    restart: always
    depends_on:
      - passbolt-db
    environment:
      APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL}
      DATASOURCES_DEFAULT_HOST: "${PASSBOLT_DATASOURCES_DEFAULT_HOST}"
      DATASOURCES_DEFAULT_USERNAME: "${PASSBOLT_DATASOURCES_DEFAULT_USERNAME}"
      DATASOURCES_DEFAULT_PASSWORD: "${PASSBOLT_DATASOURCES_DEFAULT_PASSWORD}"
      DATASOURCES_DEFAULT_DATABASE: "${PASSBOLT_DATASOURCES_DEFAULT_DATABASE}"
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}"
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
      - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "passbolt-db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    networks:
      - traefik
      - passbolt
    labels:
      - "traefik.http.routers.passbolt.rule=Host(`passbolt.lan.ddnsgeek.com`)"
      - "traefik.enable=true"
      - "traefik.http.routers.passbolt.entrypoints=websecure"
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.docker.network=core_traefik"

    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
#        | grep -q "No error found"
      interval: 30s
      timeout: 10s
      retries: 6
      start_period: 120s


networks:
#  traefik_reverse_proxy:
#    external: true
#  internal:
#    driver: bridge
  passbolt: