version: "3.8"

services:
  # PostgreSQL database for Keycloak
  keycloak-db:
    image: postgres:15-alpine
    container_name: keycloak-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak-db-password
    volumes:
      - keycloak-db-data:/var/lib/postgresql/data
    networks:
      - keycloak-net
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U keycloak"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Keycloak Identity Provider
  keycloak:
    image: quay.io/keycloak/keycloak:23.0
    container_name: keycloak
    restart: unless-stopped
    command: start-dev  # Use 'start' for production with HTTPS
    environment:
      # Admin credentials
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin-password
      
      # Database configuration
      KC_DB: postgres
      KC_DB_URL_HOST: keycloak-db
      KC_DB_URL_DATABASE: keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak-db-password
      
      # HTTP settings
      KC_HTTP_ENABLED: true
      KC_HTTP_PORT: 8080
      KC_HOSTNAME_STRICT: false
      KC_HOSTNAME_STRICT_HTTPS: false
      KC_PROXY: edge  # If behind a proxy
      
      # Development settings (remove for production)
      KC_HOSTNAME: localhost
      KC_HOSTNAME_PORT: 8080
      KC_HOSTNAME_ADMIN: localhost
      
      # Features
      KC_FEATURES: token-exchange,admin-fine-grained-authz
      
      # Health and metrics
      KC_HEALTH_ENABLED: true
      KC_METRICS_ENABLED: true
      
      # Log level
      KC_LOG_LEVEL: INFO
      # Uncomment for debug logging
      # KC_LOG_LEVEL: DEBUG
      # QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES: DEBUG
    ports:
      - "8080:8080"  # HTTP
      - "8443:8443"  # HTTPS (if configured)
      - "9000:9000"  # Management
    networks:
      - keycloak-net
      - gitea-mirror-net
    depends_on:
      keycloak-db:
        condition: service_healthy
    volumes:
      # For custom themes (optional)
      - keycloak-themes:/opt/keycloak/themes
      # For importing realm configurations
      - ./keycloak-realm-export.json:/opt/keycloak/data/import/realm.json:ro
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
      interval: 15s
      timeout: 10s
      retries: 10
      start_period: 60s

  # Gitea Mirror Application (uncomment to run together)
  # gitea-mirror:
  #   build: .
  #   # OR use pre-built image:
  #   # image: ghcr.io/raylabshq/gitea-mirror:latest
  #   container_name: gitea-mirror
  #   restart: unless-stopped
  #   environment:
  #     # Core Settings
  #     BETTER_AUTH_URL: http://localhost:4321
  #     BETTER_AUTH_TRUSTED_ORIGINS: http://localhost:4321,http://localhost:8080
  #     BETTER_AUTH_SECRET: "your-32-character-secret-key-here"
  #     
  #     # GitHub Settings (configure as needed)
  #     GITHUB_USERNAME: ${GITHUB_USERNAME}
  #     GITHUB_TOKEN: ${GITHUB_TOKEN}
  #     
  #     # Gitea Settings (configure as needed)
  #     GITEA_URL: ${GITEA_URL}
  #     GITEA_USERNAME: ${GITEA_USERNAME}
  #     GITEA_TOKEN: ${GITEA_TOKEN}
  #   volumes:
  #     - ./data:/app/data
  #   ports:
  #     - "4321:4321"
  #   networks:
  #     - gitea-mirror-net
  #   depends_on:
  #     keycloak:
  #       condition: service_healthy

volumes:
  keycloak-db-data:
    name: keycloak-db-data
  keycloak-themes:
    name: keycloak-themes

networks:
  keycloak-net:
    name: keycloak-net
    driver: bridge
  gitea-mirror-net:
    name: gitea-mirror-net
    driver: bridge