# CONFIGURED BY ANSIBLE

services:
  # UI dashboard
  dashboard:
    image: netbirdio/dashboard:{{ server_dashboard_tag }}
    restart: always
    ports:
{% if behind_proxy == 'no' %}
      - 80:80
      - 443:443
{% else %}
      # alternate port in case reverse-proxy lives on the same host
      - 127.0.0.1:8091:80
{% endif %}
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://{{ server_external_fqdn }}:{{mgmt_port}}
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://{{ server_external_fqdn }}:{{mgmt_port}}
      # OIDC
      - AUTH_AUDIENCE={{ server_keycloak_client_id }}
      - AUTH_CLIENT_ID={{ server_keycloak_client_id }}
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://{{ server_keycloak_fqdn }}/realms/{{ server_keycloak_realm }}
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES={{ scopes }}
      - AUTH_REDIRECT_URI=/peers
      - AUTH_SILENT_REDIRECT_URI=/add-peer
      - NETBIRD_TOKEN_SOURCE=accessToken
{% if behind_proxy == 'no' %}
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN={{ server_external_fqdn }}
      - LETSENCRYPT_EMAIL={{ server_admin_email }}
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
{% endif %}
    logging:
      driver: "json-file"
      options:
        tag: "{{'{{.ImageName}}'}}/{{'{{.Name}}'}}/{{'{{.ID}}'}}"
        max-size: "500m"
        max-file: "2"

  # Signal
  signal:
    image: netbirdio/signal:{{ server_signal_tag }}
    restart: always
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
{% if behind_proxy == 'no' %}
      - 10000:80
{% else %}
      # alternate port in case reverse-proxy lives on the same host
      - 127.0.0.1:8093:80
{% endif %}
    logging:
      driver: "json-file"
      options:
        tag: "{{'{{.ImageName}}'}}/{{'{{.Name}}'}}/{{'{{.ID}}'}}"
        max-size: "500m"
        max-file: "2"

  # Relay
  relay:
    image: netbirdio/relay:{{ server_relay_tag }}
    restart: always
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS={{ server_external_fqdn }}:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET={{ server_relay_secret }}
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        tag: "{{'{{.ImageName}}'}}/{{'{{.Name}}'}}/{{'{{.ID}}'}}"
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:{{ server_management_tag }}
    restart: always
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
{% if behind_proxy == 'no' %}
      - netbird-letsencrypt:/etc/letsencrypt:ro
{% endif %}
      - ./management.json:/etc/netbird/management.json
    ports:
{% if behind_proxy == 'no' %}
      - 33073:443 #API port
      - 8081:8081
{% else %}
      # alternate port in case reverse-proxy lives on the same host
      - 127.0.0.1:8092:80 #API port
{% endif %}
    command: [
{% if behind_proxy == 'no' %}
      "--port", "443",
{% else %}
      "--port", "80",
{% endif %}
      "--log-file", "console",
      "--disable-single-account-mode=false",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain={{ server_external_fqdn }}",
      "--dns-domain={{ internal_dns_domain }}"
      ]
    logging:
      driver: "json-file"
      options:
        tag: "{{'{{.ImageName}}'}}/{{'{{.Name}}'}}/{{'{{.ID}}'}}"
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      - NETBIRD_STORE_ENGINE_MYSQL_DSN=

volumes:
  netbird-mgmt:
  netbird-signal:
{% if behind_proxy == 'no' %}
  netbird-letsencrypt:
{% endif %}