services:
  postgres:
    image: {{ keycloak_postgres_image }}
    restart: unless-stopped
    environment:
      POSTGRES_DB: {{ keycloak_postgres_db }}
      POSTGRES_USER: {{ keycloak_postgres_user }}
      POSTGRES_PASSWORD: {{ keycloak_postgres_password }}
    volumes:
      - {{ keycloak_docker_volume_dir }}/postgresql:/var/lib/postgresql/data
    networks:
      - {{ keycloak_backend_network }}

  {{ keycloak_service_name }}:
    image: {{ keycloak_image }}
    restart: unless-stopped
    entrypoint: /bin/sh
    command:
      - -c
      - >
        /opt/keycloak/bin/kc.sh build &&
        /opt/keycloak/bin/kc.sh start --optimized
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/{{ keycloak_postgres_db }}
      KC_DB_USERNAME: {{ keycloak_postgres_user }}
      KC_DB_PASSWORD: {{ keycloak_postgres_password }}
      KEYCLOAK_ADMIN: {{ keycloak_admin_user }}
      KEYCLOAK_ADMIN_PASSWORD: {{ keycloak_admin_password }}
      KC_LOG_LEVEL: {{ keycloak_log_level }}
      KC_SPI_RESOURCE_ENCODING_GZIP_ENABLED: {{ keycloak_gzip_enabled | lower }}
      KC_SPI_RESOURCE_ENCODING_GZIP_CACHE_DIR: /opt/keycloak/data/gzip-cache
      KC_PROXY: {{ keycloak_proxy_mode }}
      KC_HOSTNAME: {{ keycloak_domain }}
    depends_on:
      - postgres
    volumes:
      - {{ keycloak_docker_volume_dir }}/data:/opt/keycloak/data
    networks:
      - {{ keycloak_backend_network }}
      - {{ keycloak_traefik_network }}
    tmpfs:
      - /opt/keycloak/data/tmp:size=1024m
    labels:
      - traefik.enable=true
      - traefik.docker.network={{ keycloak_traefik_network }}
      - traefik.http.routers.{{ keycloak_service_name }}.rule=Host(`{{ keycloak_domain }}`)
{% if keycloak_use_ssl %}
      - traefik.http.routers.{{ keycloak_service_name }}.entrypoints=websecure
      - traefik.http.routers.{{ keycloak_service_name }}.tls=true
{% else %}
      - traefik.http.routers.{{ keycloak_service_name }}.entrypoints=web
{% endif %}
      - traefik.http.services.{{ keycloak_service_name }}.loadbalancer.server.port={{ keycloak_port }}
      # Middleware: Keycloak proxy headers
      - traefik.http.routers.{{ keycloak_service_name }}.middlewares={{ keycloak_service_name }}-headers
      - traefik.http.middlewares.{{ keycloak_service_name }}-headers.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.middlewares.{{ keycloak_service_name }}-headers.headers.customrequestheaders.X-Forwarded-Host={{ keycloak_domain }}
      - traefik.http.middlewares.{{ keycloak_service_name }}-headers.headers.customrequestheaders.X-Forwarded-Port=443

networks:
  {{ keycloak_backend_network }}:
  {{ keycloak_traefik_network }}:
    external: true