stack.yml

# vibetype.app
# https://vibetype.app/
# Vibetype
# https://github.com/maevsi/vibetype/
---
x-shared:
  zammad-service:
    &zammad-service # You can access the helpdesk at [zammad.app.localhost](https://zammad.app.localhost/).
    environment: &zammad-environment
      ELASTICSEARCH_HOST: elasticsearch
      ELASTICSEARCH_SCHEMA: https
      ELASTICSEARCH_USER: elastic
      MEMCACHE_SERVERS: memcached:11211
      NGINX_SERVER_SCHEME: https
      POSTGRESQL_DB: zammad
      POSTGRESQL_DB_CREATE: "false"
      POSTGRESQL_HOST: postgres
      POSTGRESQL_OPTIONS: ?pool=50
      REDIS_URL: redis://redis:6379
    image: ghcr.io/zammad/zammad:6.5.2-90
    secrets:
      - source: elasticsearch-password
        target: /run/environment-variables/ELASTICSEARCH_PASS
      - source: postgres_role_service_zammad_username
        target: /run/environment-variables/POSTGRESQL_USER
      - source: postgres_role_service_zammad_password
        target: /run/environment-variables/POSTGRESQL_PASS
    volumes:
      - zammad_data:/opt/zammad/storage
      - ../production/configurations/zammad/docker-entrypoint.sh:/docker-entrypoint.sh:ro
secrets:
  elasticsearch-keystore_password:
    # The search engine's password for the keystore.
    file: ./secrets/elasticsearch/keystore_password.secret
  elasticsearch-password:
    # The search engine's password for the default user.
    file: ./secrets/elasticsearch/password.secret
  grafana_admin_email:
    # The observation dashboard's admin email.
    file: ./secrets/grafana/admin_email.secret
  grafana_admin_password:
    # The observation dashboard's admin password.
    file: ./secrets/grafana/admin_password.secret
  grafana_admin_user:
    # The observation dashboard's admin user.
    file: ./secrets/grafana/admin_user.secret
  grafana_discord_webhook:
    # The observation dashboard's contact point for Discord.
    file: ./secrets/grafana/discord_webhook.secret
  jobber_aliases:
    # The job scheduler's SMTP client mail alias.
    file: ./secrets/jobber/aliases.secret
  jobber_aws-bucket:
    # The job scheduler's AWS bucket name.
    file: ./secrets/jobber/aws-bucket.secret
  jobber_aws-credentials:
    # The job scheduler's AWS credentials.
    file: ./secrets/jobber/aws-credentials.secret
  jobber_aws-configuration:
    # The job scheduler's AWS configuration.
    file: ./secrets/jobber/aws-configuration.secret
  jobber_msmtprc:
    # The job scheduler's SMTP client configuration.
    file: ./secrets/jobber/msmtprc.secret
  portainer_admin-password:
    # The container manager's admin password.
    file: ./secrets/portainer/admin-password.secret
  postgraphile_connection:
    # The GraphQL API's database URI.
    file: ./secrets/postgraphile/connection.secret
  postgraphile_jwt-secret:
    # The GraphQL API's JWT secret.
    file: ./secrets/postgraphile/jwt-secret.secret
  postgraphile_owner-connection:
    # The GraphQL API's database owner URI.
    file: ./secrets/postgraphile/owner-connection.secret
  postgres_db:
    # The database's name.
    file: ./secrets/postgres/db.secret
  postgres_password:
    # The database's password.
    file: ./secrets/postgres/password.secret
  postgres_role_service_grafana_password:
    # The password of the observation dashboard's database role.
    file: ./secrets/postgres/role_service_grafana_password.secret
  postgres_role_service_grafana_username:
    # The username of the observation dashboard's database role.
    file: ./secrets/postgres/role_service_grafana_username.secret
  postgres_role_service_postgraphile_password:
    # The password of the GraphQL API database wrapper's database role.
    file: ./secrets/postgres/role_service_postgraphile_password.secret
  postgres_role_service_postgraphile_username:
    # The username of the GraphQL API database wrapper's database role.
    file: ./secrets/postgres/role_service_postgraphile_username.secret
  postgres_role_service_vibetype_password:
    # The `tusd` database role's password.
    file: ./secrets/postgres/role_service_vibetype_password.secret
  postgres_role_service_vibetype_username:
    # The `tusd` database role's password.
    file: ./secrets/postgres/role_service_vibetype_username.secret
  postgres_role_service_zammad_password:
    # The password of the customer service database role.
    file: ./secrets/postgres/role_service_zammad_password.secret
  postgres_role_service_zammad_username:
    # The username of the customer service database role.
    file: ./secrets/postgres/role_service_zammad_username.secret
  postgres_user:
    # The database's default user.
    file: ./secrets/postgres/user.secret
  reccoom_ingest-api-key:
    # The AI provider's API key for the recommendation engine.
    file: ./secrets/reccoom/ingest-api-key.secret
  reccoom_openai-api-key:
    # The AI provider's API key for the recommendation engine.
    file: ./secrets/reccoom/openai-api-key.secret
  sqitch_target:
    # The database change management application's database connection string.
    file: ./secrets/sqitch/target.secret
  tusd_aws:
    # The upload service's s3 credentials file.
    file: ./secrets/tusd/aws.secret
  vibetype_api-notification-secret:
    # The notification endpoint's secret.
    file: ./secrets/vibetype/api-notification.secret
  vibetype_aws-credentials:
    # The cloud computing provider's user credentials.
    file: ./secrets/vibetype/aws-credentials.secret
  vibetype_firebase-service-account-credentials:
    # The notification provider's service account credentials.
    file: ./secrets/vibetype/firebase-service-account-credentials.secret
  vibetype_monday:
    # The project management software's configuration.
    file: ./secrets/vibetype/monday.secret
  vibetype_openai-api-key:
    # The AI provider's API key for the frontend.
    file: ./secrets/vibetype/openai-api-key.secret
  vibetype_turnstile-key:
    # The captcha provider's application key.
    file: ./secrets/vibetype/turnstile-key.secret
services:
  adminer:
    # You can access the database's frontend at [adminer.app.localhost](https://adminer.app.localhost/).
    # This information is required for login:
    #
    # |          |                     |
    # | -------- | ------------------- |
    # | System   | PostgreSQL          |
    # | Server   | postgres            |
    # | Username | [postgres_user]     |
    # | Password | [postgres_password] |
    # | Database | [postgres_db]       |
    #
    # Values in square brackets are [Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.adminer.entryPoints=web
        - traefik.http.routers.adminer.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.adminer.rule=Host(`adminer.${STACK_DOMAIN}`)
        - traefik.http.routers.adminer_secure.entryPoints=web-secure
        - traefik.http.routers.adminer_secure.rule=Host(`adminer.${STACK_DOMAIN}`)
        - traefik.http.routers.adminer_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.adminer.loadbalancer.server.port=8080
    image: adminer:5.4.2-standalone
    volumes:
      - ../production/configurations/adminer/adminer.css:/var/www/html/adminer.css:ro
  debezium:
    # You can see how changes in the database end up in the event stream using `redpanda-console`.
    environment:
      BOOTSTRAP_SERVERS: redpanda:9092
      CONFIG_STORAGE_TOPIC: connect_configs
      GROUP_ID: 1
      OFFSET_STORAGE_TOPIC: connect_offsets
      STATUS_STORAGE_TOPIC: connect_statuses
    # healthcheck:
    #   test: ["CMD", "curl", "--fail", "--silent", "--show-error", "http://localhost:8083/connectors"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    #   start_period: 20s
    image: quay.io/debezium/connect:3.5
    volumes:
      - debezium_kafka_configuration:/kafka/config
      - debezium_kafka_data:/kafka/data
      - debezium_kafka_logs:/kafka/logs
  debezium-postgres-connector:
    # You can check the database connector's setup logs using `portainer`.
    command: /entrypoint.sh
    deploy:
      restart_policy:
        condition: on-failure
    entrypoint: sh
    image: curlimages/curl:8.18.0
    secrets:
      - postgres_db
      - postgres_password
      - postgres_user
    volumes:
      - ../production/configurations/debezium-postgres-connector/entrypoint.sh:/entrypoint.sh:ro
  elasticsearch:
    # You cannot access the search engine via a web interface.
    environment:
      bootstrap.memory_lock: "true"
      discovery.type: single-node
      ELASTIC_PASSWORD_FILE: /run/secrets/elasticsearch-password
      ES_JAVA_OPTS: -Xms1g -Xmx1g
      KEYSTORE_PASSWORD_FILE: /run/secrets/elasticsearch-keystore_password
      network.publish_host: elasticsearch
    image: elasticsearch:8.19.12
    secrets:
      - source: elasticsearch-keystore_password
        uid: "1000"
        gid: "1000"
        mode: 0o400
      - source: elasticsearch-password
        uid: "1000"
        gid: "1000"
        mode: 0o400
    ulimits:
      nofile:
        soft: 65535
        hard: 65535
      memlock:
        soft: -1
        hard: -1
    volumes:
      - elasticsearch-configuration:/usr/share/elasticsearch/config
      - elasticsearch_data:/usr/share/elasticsearch/data
  geoip:
    # You cannot access the ip geolocator via a web interface.
    image: ghcr.io/observabilitystack/geoip-api:2026-02
  grafana:
    # You can access the observation dashboard at [grafana.app.localhost](https://grafana.app.localhost/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.grafana.entryPoints=web
        - traefik.http.routers.grafana.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.grafana.rule=Host(`grafana.${STACK_DOMAIN}`)
        - traefik.http.routers.grafana_secure.entryPoints=web-secure
        - traefik.http.routers.grafana_secure.rule=Host(`grafana.${STACK_DOMAIN}`)
        - traefik.http.routers.grafana_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.grafana.loadbalancer.server.port=3000
    environment:
      GF_DATABASE_HOST: postgres:5432
      GF_DATABASE_PASSWORD__FILE: /run/secrets/postgres_role_service_grafana_password
      GF_DATABASE_TYPE: postgres
      GF_DATABASE_USER__FILE: /run/secrets/postgres_role_service_grafana_username
      GF_SECURITY_ADMIN_EMAIL__FILE: /run/secrets/grafana_admin_email
      GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana_admin_password
      GF_SECURITY_ADMIN_USER__FILE: /run/secrets/grafana_admin_user
      GF_SERVER_ROOT_URL: https://grafana.${STACK_DOMAIN}/
    image: grafana/grafana:12.4.1
    secrets:
      - grafana_admin_email
      - grafana_admin_password
      - grafana_admin_user
      - grafana_discord_webhook
      - postgres_db
      - postgres_role_service_grafana_password
      - postgres_role_service_grafana_username
    volumes:
      - ../production/configurations/grafana/dashboards:/var/lib/grafana/dashboards:ro
      - ../production/configurations/grafana/provisioning:/etc/grafana/provisioning:ro
      - grafana_data:/var/lib/grafana
  jobber:
    # You cannot access the jobber via a web interface.
    environment:
      AWS_SHARED_CREDENTIALS_FILE: /run/secrets/jobber_aws-credentials
    image: ghcr.io/dargmuesli/jobber-aws-msmtp:1.3.0
    secrets:
      - source: jobber_aliases
        target: /etc/aliases
      - jobber_aws-bucket
      - jobber_aws-credentials
      - source: jobber_aws-configuration
        target: /home/jobberuser/.aws/config
      - source: jobber_msmtprc
        target: /etc/msmtprc
    volumes:
      - ../production/backups/postgres/:/backups/
      - ./configurations/jobber/.jobber:/home/jobberuser/.jobber:ro
  memcached:
    # You cannot access the caching system via a web interface.
    image: memcached:1.6.41-alpine
    # command: memcached -m 256M
  minio: #DARGSTACK-REMOVE
    # You can access the s3 console at [minio.app.localhost](https://minio.app.localhost/).
    # You can access the s3 api service at [s3.app.localhost](https://s3.app.localhost/) if you want to access via cli from outside the stack.
    entrypoint: /patched-entrypoint.sh #DARGSTACK-REMOVE
    command: server /data --console-address ":9001" #DARGSTACK-REMOVE
    deploy: #DARGSTACK-REMOVE
      labels: #DARGSTACK-REMOVE
        - traefik.enable=true #DARGSTACK-REMOVE
        # Minio Console
        - traefik.http.routers.minio.entryPoints=web #DARGSTACK-REMOVE
        - traefik.http.routers.minio.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.minio.rule=Host(`minio.${STACK_DOMAIN}`) #DARGSTACK-REMOVE
        - traefik.http.routers.minio.service=minio #DARGSTACK-REMOVE
        - traefik.http.routers.minio_secure.entryPoints=web-secure #DARGSTACK-REMOVE
        - traefik.http.routers.minio_secure.rule=Host(`minio.${STACK_DOMAIN}`) #DARGSTACK-REMOVE
        - traefik.http.routers.minio_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.routers.minio_secure.service=minio #DARGSTACK-REMOVE
        - traefik.http.services.minio.loadbalancer.server.port=9001 #DARGSTACK-REMOVE
        - traefik.http.services.minio.loadbalancer.passhostheader=true #DARGSTACK-REMOVE
        # Minio itself
        - traefik.http.routers.s3.entryPoints=web #DARGSTACK-REMOVE
        - traefik.http.routers.s3.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.s3.rule=Host(`s3.${STACK_DOMAIN}`) #DARGSTACK-REMOVE
        - traefik.http.routers.s3.service=s3 #DARGSTACK-REMOVE
        - traefik.http.routers.s3_secure.entryPoints=web-secure #DARGSTACK-REMOVE
        - traefik.http.routers.s3_secure.rule=Host(`s3.${STACK_DOMAIN}`) #DARGSTACK-REMOVE
        - traefik.http.routers.s3_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.routers.s3_secure.service=s3 #DARGSTACK-REMOVE
        - traefik.http.services.s3.loadbalancer.server.port=9000 #DARGSTACK-REMOVE
        - traefik.http.services.s3.loadbalancer.passhostheader=true #DARGSTACK-REMOVE
    image: minio/minio #DARGSTACK-REMOVE
    volumes: #DARGSTACK-REMOVE
      - minio_data:/data #DARGSTACK-REMOVE
      - ./configurations/minio/entrypoint.sh:/patched-entrypoint.sh #DARGSTACK-REMOVE
    environment: #DARGSTACK-REMOVE
      MINIO_ROOT_PASSWORD: s3password #DARGSTACK-REMOVE
      MINIO_ROOT_USER: s3user #DARGSTACK-REMOVE
  portainer:
    # You can access the container manager's frontend at [portainer.app.localhost](https://portainer.app.localhost/).
    command: -H tcp://tasks.portainer-agent:9001 --tlsskipverify --admin-password-file '/run/secrets/portainer_admin-password'
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.portainer.entryPoints=web
        - traefik.http.routers.portainer.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.portainer.rule=Host(`portainer.${STACK_DOMAIN}`)
        - traefik.http.routers.portainer_secure.entryPoints=web-secure
        - traefik.http.routers.portainer_secure.rule=Host(`portainer.${STACK_DOMAIN}`)
        - traefik.http.routers.portainer_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.portainer.loadbalancer.server.port=9000
      placement:
        constraints:
          - node.role == manager
      replicas: 1
    image: portainer/portainer-ce:2.39.0-alpine
    secrets:
      - portainer_admin-password
    volumes:
      - portainer_data:/data
  portainer-agent:
    # You cannot access the container manager's agent directly.
    deploy:
      mode: global
      placement:
        constraints:
          - node.platform.os == linux
    image: portainer/agent:2.39.0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
  postgraphile:
    # You can access the GraphQL API for the PostgreSQL database at [postgraphile.app.localhost](https://postgraphile.app.localhost/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/internal/service/postgraphile/authentication
        - traefik.http.middlewares.postgraphile_auth.forwardauth.forwardBody=true
        - traefik.http.middlewares.postgraphile_auth.forwardauth.preserveRequestMethod=true
        - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowCredentials=true
        - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowHeaders=authorization
        - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowOriginList=https://${STACK_DOMAIN},https://localhost:3000,https://app.localhost:3000
        - traefik.http.routers.postgraphile.entryPoints=web
        - traefik.http.routers.postgraphile.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.postgraphile.rule=Host(`postgraphile.${STACK_DOMAIN}`)
        - traefik.http.routers.postgraphile_secure.entryPoints=web-secure
        - traefik.http.routers.postgraphile_secure.middlewares=postgraphile_auth,postgraphile_cors
        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphql`)
        - traefik.http.routers.postgraphile_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.routers.postgraphile_secure_graphiql.entryPoints=web-secure
        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`)
        - traefik.http.routers.postgraphile_secure_graphiql.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.postgraphile.loadbalancer.server.port=5678
    # # Use the DEBUG environment variable for extended debugging.
    # environment:
    #   DEBUG: graphile-build:warn,graphile-build-pg:sql
    image: maevsi/postgraphile:dev
    secrets:
      - source: postgraphile_connection
        target: /run/environment-variables/POSTGRAPHILE_CONNECTION
      - source: postgraphile_jwt-secret
        target: /run/environment-variables/POSTGRAPHILE_JWT_SECRET_KEY
      - source: postgraphile_owner-connection
        target: /run/environment-variables/POSTGRAPHILE_OWNER_CONNECTION
    volumes:
      - ../../../postgraphile/:/srv/app/ #DARGSTACK-REMOVE
      - ./configurations/postgraphile/jwtES256.key.pub:/run/environment-variables/POSTGRAPHILE_JWT_PUBLIC_KEY:ro
      - pnpm_data:/srv/.pnpm-store/ #DARGSTACK-REMOVE
      - postgraphile_data:/srv/app/node_modules #DARGSTACK-REMOVE
  postgres:
    # You can access the database via `adminer`.
    command: -c vibetype.jwt_expiry_duration='1 month' -c wal_level=logical
    environment:
      POSTGRES_DB_FILE: /run/secrets/postgres_db
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      POSTGRES_USER_FILE: /run/secrets/postgres_user
    image: postgis/postgis:18-3.6-alpine
    ports: #DARGSTACK-REMOVE
      - 5432:5432 #DARGSTACK-REMOVE
    secrets:
      - postgres_db
      - postgres_password
      - postgres_user
    # sysctls:
    #   # Prevent Docker Swarm from killing connections (https://github.com/moby/moby/issues/31208)
    #   - net.ipv4.tcp_keepalive_time=600
    #   - net.ipv4.tcp_keepalive_intvl=30
    #   - net.ipv4.tcp_keepalive_probes=10
    volumes:
      - postgres_data:/var/lib/postgresql/
  prometheus:
    # You can access the metrics monitoring at [prometheus.app.localhost](https://prometheus.app.localhost/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.prometheus.entryPoints=web
        - traefik.http.routers.prometheus.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.prometheus.rule=Host(`prometheus.${STACK_DOMAIN}`)
        - traefik.http.routers.prometheus_secure.entryPoints=web-secure
        - traefik.http.routers.prometheus_secure.rule=Host(`prometheus.${STACK_DOMAIN}`)
        - traefik.http.routers.prometheus_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.prometheus.loadbalancer.server.port=9090
    image: prom/prometheus:v3.10.0
    volumes:
      - ../production/configurations/prometheus/prometheus.yaml:/etc/prometheus/prometheus.yml:ro
      - prometheus_data:/prometheus
  reccoom:
    # You cannot access the recommendation service directly.
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.reccoom.entryPoints=web
        - traefik.http.routers.reccoom.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.reccoom.rule=Host(`reccoom.${STACK_DOMAIN}`)
        - traefik.http.routers.reccoom_secure.entryPoints=web-secure
        - traefik.http.routers.reccoom_secure.rule=Host(`reccoom.${STACK_DOMAIN}`)
        - traefik.http.routers.reccoom_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.reccoom.loadbalancer.server.port=5245
    environment:
      POSTGRES_HOST: postgres
      RECCOOM_POSTGRES_HOST: reccoom_postgres
    image: maevsi/reccoom:dev
    secrets:
      - postgres_db
      - postgres_password
      - postgres_user
      - source: reccoom_ingest-api-key
        target: /run/environment-variables/INGEST_API_KEY
      - reccoom_openai-api-key
    volumes:
      - ../../../reccoom/:/srv/app/ #DARGSTACK-REMOVE
      - ./configurations/postgraphile/jwtES256.key.pub:/run/configurations/jwtES256.key.pub:ro
  reccoom_postgres:
    # You can access reccoom's database via `adminer`.
    environment:
      POSTGRES_DB_FILE: /run/secrets/postgres_db
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      POSTGRES_USER_FILE: /run/secrets/postgres_user
    image: pgvector/pgvector:0.8.2-pg18
    ports: #DARGSTACK-REMOVE
      - 5433:5432 #DARGSTACK-REMOVE
    secrets:
      - postgres_db
      - postgres_password
      - postgres_user
    volumes:
      - reccoom_postgres_data:/var/lib/postgresql/
  redis:
    # You cannot access the caching system via a web interface.
    image: redis:8.6.1-alpine
    volumes:
      - redis_data:/data
  redpanda:
    # You can access the event streaming platform's ui as described under `redpanda-console`.
    command:
      - redpanda start
      - --mode dev-container #DARGSTACK-REMOVE
      - --kafka-addr internal://0.0.0.0:9092,external://0.0.0.0:19092
      - --advertise-kafka-addr internal://redpanda:9092,external://localhost:19092
      - --pandaproxy-addr internal://0.0.0.0:8082,external://0.0.0.0:18082
      - --advertise-pandaproxy-addr internal://redpanda:8082,external://localhost:18082
      - --schema-registry-addr internal://0.0.0.0:8081,external://0.0.0.0:18081
    # healthcheck:
    #   test: ["CMD-SHELL", "output=$(rpk cluster health --json); echo \"$output\" | grep -q '\"healthy\":true' || { echo \"$output\"; exit 1; }"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    #   start_period: 10s
    image: redpandadata/redpanda:v25.3.10
    volumes:
      - redpanda_data:/var/lib/redpanda/data
  redpanda-console:
    # You can access the event streaming platform's ui at [redpanda.app.localhost](https://redpanda.app.localhost/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.redpanda.entryPoints=web
        - traefik.http.routers.redpanda.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.redpanda.rule=Host(`redpanda.${STACK_DOMAIN}`)
        - traefik.http.routers.redpanda_secure.entryPoints=web-secure
        - traefik.http.routers.redpanda_secure.rule=Host(`redpanda.${STACK_DOMAIN}`)
        - traefik.http.routers.redpanda_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.redpanda.loadbalancer.server.port=8080
    environment:
      CONFIG_FILEPATH: /srv/app/redpanda-config.yaml
    image: redpandadata/console:v3.5.3
    volumes:
      - ../production/configurations/redpanda/config.yaml:/srv/app/redpanda-config.yaml:ro
  sqitch:
    # You cannot access the database migrations directly.
    image: maevsi/sqitch:dev
    secrets:
      - postgres_role_service_grafana_password
      - postgres_role_service_grafana_username
      - postgres_role_service_postgraphile_password
      - postgres_role_service_postgraphile_username
      - postgres_role_service_vibetype_password
      - postgres_role_service_vibetype_username
      - postgres_role_service_zammad_username
      - postgres_role_service_zammad_password
      - sqitch_target
    volumes:
      - ../../../sqitch/:/srv/app/
  traefik:
    # You can access the reverse proxy's dashboard at [traefik.app.localhost](https://traefik.app.localhost/).
    command:
      - --api=true
      - --entryPoints.web.address=:80
      - --entryPoints.web-secure.address=:443
      - --entryPoints.web-secure.http.encodedCharacters.allowEncodedSlash=true #DARGSTACK-REMOVE # required for Nuxt's virtual imports
      - --providers.swarm=true
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      - --providers.swarm.exposedByDefault=false
      - --providers.file.filename=/dynamic.yml #DARGSTACK-REMOVE
      - --providers.file.watch=true #DARGSTACK-REMOVE
      - --log.level=DEBUG #DARGSTACK-REMOVE
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.middlewares.redirectscheme.redirectscheme.scheme=https #DARGSTACK-REMOVE
        - traefik.http.routers.traefik.entryPoints=web
        - traefik.http.routers.traefik.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.traefik.rule=Host(`traefik.${STACK_DOMAIN}`)
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik_secure.entryPoints=web-secure
        - traefik.http.routers.traefik_secure.rule=Host(`traefik.${STACK_DOMAIN}`)
        - traefik.http.routers.traefik_secure.service=api@internal
        - traefik.http.routers.traefik_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.traefik.loadbalancer.server.port=8080
      mode: global
      placement:
        constraints:
          - node.role == manager
    image: traefik:v3.6.10
    ports: #DARGSTACK-REMOVE
      - mode: host #DARGSTACK-REMOVE
        protocol: tcp #DARGSTACK-REMOVE
        published: 80 #DARGSTACK-REMOVE
        target: 80 #DARGSTACK-REMOVE
      - mode: host #DARGSTACK-REMOVE
        protocol: tcp #DARGSTACK-REMOVE
        published: 443 #DARGSTACK-REMOVE
        target: 443 #DARGSTACK-REMOVE
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./certificates/:/etc/traefik/acme/
      - ./configurations/traefik/dynamic.yml:/dynamic.yml:ro #DARGSTACK-REMOVE
  tusd:
    # You can access the upload service at [tusd.app.localhost](https://tusd.app.localhost/).
    command: -behind-proxy --hooks-enabled-events pre-create,pre-finish,pre-terminate --hooks-http http://vibetype:3000/api/internal/service/tusd -max-size ${TUSD_MAX_SIZE} -s3-bucket ${TUSD_BUCKET} -s3-endpoint ${TUSD_ENDPOINT}
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.middlewares.tusd_cors.headers.customresponseheaders.Cross-Origin-Resource-Policy=cross-origin
        - traefik.http.routers.tusd.entryPoints=web
        - traefik.http.routers.tusd.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.tusd.rule=Host(`tusd.${STACK_DOMAIN}`)
        - traefik.http.routers.tusd_secure.entryPoints=web-secure
        - traefik.http.routers.tusd_secure.middlewares=tusd_cors
        - traefik.http.routers.tusd_secure.rule=Host(`tusd.${STACK_DOMAIN}`) && (Method(`GET`) || Method(`HEAD`) || Method(`OPTIONS`) || Method(`POST`) || Method(`PUT`) || Method(`PATCH`))
        - traefik.http.routers.tusd_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.tusd.loadbalancer.server.port=8080
    environment:
      AWS_REGION: ${TUSD_REGION}
    image: tusproject/tusd:v2.9.1
    secrets:
      - source: tusd_aws
        target: /home/tusd/.aws/credentials
  vibetype:
    # You can access the main project's frontend at [app.localhost](https://app.localhost/).
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowHeaders=authorization,content-type,hook-name,x-turnstile-key
        - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowMethods=GET,POST,PUT,DELETE
        - traefik.http.middlewares.vibetype_cors.headers.accessControlAllowOriginList=https://localhost:3000,https://app.localhost:3000
        - traefik.http.middlewares.vibetype_redirectregex.redirectregex.regex=^https?:\/\/www\.${STACK_DOMAIN}\/(.*)
        - traefik.http.middlewares.vibetype_redirectregex.redirectregex.replacement=https://${STACK_DOMAIN}/$${2}
        - traefik.http.routers.vibetype.entryPoints=web
        - traefik.http.routers.vibetype.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.vibetype.rule=(Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`)) && !PathPrefix(`/api/internal`)
        - traefik.http.routers.vibetype_secure.entryPoints=web-secure
        - traefik.http.routers.vibetype_secure.middlewares=vibetype_cors,vibetype_redirectregex
        - traefik.http.routers.vibetype_secure.rule=(Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`)) && !PathPrefix(`/api/internal`)
        - traefik.http.routers.vibetype_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.vibetype.loadbalancer.server.port=3000
    environment:
      AWS_REGION: ${VIBETYPE_AWS_REGION}
      NUXT_PUBLIC_GTAG_ID: ${VIBETYPE_NUXT_PUBLIC_GTAG_ID}
      NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN}
      NUXT_PUBLIC_SITE_URL: https://${STACK_DOMAIN}
      NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${VIBETYPE_NUXT_PUBLIC_TURNSTILE_SITE_KEY}
      NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H: ${VIBETYPE_NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H}
      PGHOST: postgres
    image: maevsi/vibetype:dev
    secrets:
      - source: vibetype_api-notification-secret
        target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET
      - source: vibetype_aws-credentials
        target: /home/node/.aws/credentials
      - source: vibetype_firebase-service-account-credentials
        target: /run/environment-variables/FIREBASE_SERVICE_ACCOUNT_CREDENTIALS
      - source: vibetype_monday
        target: /run/environment-variables/NUXT_PRIVATE_MONDAY
      - source: vibetype_openai-api-key
        target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY
      - source: vibetype_turnstile-key
        target: /run/environment-variables/NUXT_TURNSTILE_SECRET_KEY
      - source: postgres_db
        target: /run/environment-variables/PGDATABASE
      - source: postgres_role_service_vibetype_password
        target: /run/environment-variables/PGPASSWORD
      - source: postgres_role_service_vibetype_username
        target: /run/environment-variables/PGUSER
    user: node:node # files created inside a docker container, like node_modules by pnpm, gain correct permissions by setting the user to `node`
    volumes:
      - pnpm_data:/srv/.pnpm-store/ #DARGSTACK-REMOVE
      - ./certificates/:/srv/certificates/ #DARGSTACK-REMOVE
      - ../../../vibetype/:/srv/app/ #DARGSTACK-REMOVE
      - vibetype_data:/srv/app/node_modules #DARGSTACK-REMOVE
      - ./configurations/postgraphile/jwtES256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
  zammad-backup:
    # You cannot access the helpdesk backup service via a web interface.
    <<: *zammad-service
    command: ["zammad-backup"]
    user: 0:0
    volumes:
      - zammad-backup_data:/var/tmp/zammad
      - zammad_data:/opt/zammad/storage:ro
      - ../production/configurations/zammad/docker-entrypoint.sh:/docker-entrypoint.sh:ro
  zammad-init:
    # You cannot access the helpdesk initialization service via a web interface.
    <<: *zammad-service
    command: ["zammad-init"]
    deploy:
      restart_policy:
        condition: on-failure
    user: 0:0
  zammad-nginx:
    # You can access the helpdesk at [zammad.app.localhost](https://zammad.app.localhost/).
    <<: *zammad-service
    command: ["zammad-nginx"]
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.zammad.entryPoints=web
        - traefik.http.routers.zammad.middlewares=redirectscheme #DARGSTACK-REMOVE
        - traefik.http.routers.zammad.rule=Host(`zammad.${STACK_DOMAIN}`)
        - traefik.http.routers.zammad_secure.entryPoints=web-secure
        - traefik.http.routers.zammad_secure.rule=Host(`zammad.${STACK_DOMAIN}`)
        - traefik.http.routers.zammad_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
        - traefik.http.services.zammad.loadbalancer.server.port=8080
  zammad-railsserver:
    # You cannot access the helpdesk application server directly.
    <<: *zammad-service
    command: ["zammad-railsserver"]
  zammad-scheduler:
    # You cannot access the helpdesk scheduler directly.
    <<: *zammad-service
    command: ["zammad-scheduler"]
  zammad-websocket:
    # You cannot access the helpdesk websocket server directly.
    <<: *zammad-service
    command: ["zammad-websocket"]
version: "3.7"
volumes:
  debezium_kafka_configuration:
    # The change data capture's configuration.
    {}
  debezium_kafka_data:
    # The change data capture's data.
    {}
  debezium_kafka_logs:
    # The change data capture's logs.
    {}
  elasticsearch-configuration:
    # The search engine's configuration.
    {}
  elasticsearch_data:
    # The search engine's data.
    {}
  grafana_data:
    # The observation dashboard's data.
    {}
  minio_data:
    # The s3 server's data.
    {}
  pnpm_data:
    # The node package manager's data.
    {}
  portainer_data:
    # The container manager's data.
    {}
  postgraphile_data:
    # The GraphQL API's data.
    {}
  postgres_data:
    # The database's data.
    {}
  prometheus_data:
    # The metrics monitoring's data.
    {}
  reccoom_postgres_data:
    # The recommendation database's data.
    {}
  redis_data:
    # The caching system's data.
    {}
  redpanda_data:
    # The message queue's data.
    {}
  vibetype_data:
    # The frontend's data.
    {}
  zammad-backup_data:
    # The helpdesk backup's data.
    {}
  zammad_data:
    # The helpdesk's data.
    {}