version: "3.8"

secrets:
  MASTER_KEY:
    file: ../secrets/auth/zitadel/MASTER_KEY

services:
  backup:
    volumes:
      - ../data/auth:/mnt/backup/src/auth:ro

  generate-secrets:
    volumes:
      - ../secrets/auth/zitadel/MASTER_KEY:/secrets/auth/zitadel/MASTER_KEY

  zitadel:
    restart: 'unless-stopped'
    image: 'ghcr.io/zitadel/zitadel:latest'
    environment:
      ZITADEL_DATABASE_COCKROACH_HOST: crdb
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALDOMAIN: auth.${DOMAIN}
      ZITADEL_EXTERNALPORT: 8321
      ZITADEL_WEBAUTHN_NAME: ${DOMAIN}
    secrets:
      - MASTER_KEY
    command: "start-from-init --masterkeyFile /run/secrets/MASTER_KEY --tlsMode disabled"
    depends_on:
      generate-secrets:
        condition: 'service_completed_successfully'
      caddy:
        condition: 'service_healthy'
      crdb:
        condition: 'service_healthy'
    ports:
      - '8321:8080'

  crdb:
    restart: unless-stopped
    image: 'cockroachdb/cockroach:latest-v23.1'
    depends_on:
      generate-secrets:
        condition: 'service_completed_successfully'
    command: "start-single-node --insecure --store=path=/cockroach/cockroach-data,size=20%"
    healthcheck:
      test: ["CMD", "curl", "--fail", "http://localhost:8080/health?ready=1"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'
    ports:
      - '9090:8080'
      - '26257:26257'
    volumes:
      - ../data/auth/crdb/data:/cockroach/cockroach-data:rw

  caddy:
    volumes:
      - ./auth/Proxyfile:/etc/caddy.d/zitadel:ro