---
services:
  ts-keycloak:
    image: tailscale/tailscale:latest
    container_name: ts-keycloak
    hostname: sso
    environment:
      - TS_AUTHKEY=${TAILSCALE_OAUTH_KEY}
      - TS_EXTRA_ARGS=--advertise-tags=${TAILSCALE_TAGS}
      - TS_SERVE_CONFIG=/config/keycloak.json
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - ts-keycloak-state:/var/lib/tailscale
      - ${PWD}/ts-keycloak/config:/config
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    restart: unless-stopped

  postgres:
    image: postgres:15
    restart: unless-stopped
    ports:
      - 5432:5432
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASS}
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./postgres/initscripts:/docker-entrypoint-initdb.d
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $POSTGRES_USER -d $POSTGRES_DB"]
      interval: 10s
      timeout: 5s
      retries: 5

  keycloak:
    depends_on:
      postgres:
        condition: service_healthy
        restart: true
      ts-keycloak:
        condition: service_started
    container_name: keycloak
    environment:
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_URL_PORT: 5432
      KC_DB_SCHEMA: ${POSTGRES_DB}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASS}
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_HOSTNAME: ${KC_HOSTNAME}
      KC_HTTP_ENABLED: true
      KC_PROXY_HEADERS: xforwarded
      KC_HOSTNAME_STRICT: false
    image: quay.io/keycloak/keycloak:latest
    restart: unless-stopped
    command: start
  
volumes:
  ts-keycloak-state:
    driver: local
  postgres-data:
    driver: local