services:
  tandoor:
    image: ${TANDOOR_IMAGE:-vabene1111/recipes:latest}
    container_name: ${TANDOOR_COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    environment:
      # Django settings
      SECRET_KEY: ${TANDOOR_SECRET_KEY}
      ALLOWED_HOSTS: ${TANDOOR_TRAEFIK_HOST}
      TIMEZONE: ${TIMEZONE:-Europe/Berlin}

      # Database configuration
      DB_ENGINE: django.db.backends.postgresql
      POSTGRES_HOST: ${CORE_DB_HOST}
      POSTGRES_PORT: ${CORE_DB_PORT}
      POSTGRES_USER: ${DB_USER}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_DB: ${TANDOOR_DB_NAME}

      # Application settings
      ENABLE_SIGNUP: ${TANDOOR_ENABLE_SIGNUP:-0}
      REVERSE_PROXY_AUTH: ${TANDOOR_REVERSE_PROXY_AUTH:-0}

      # Email configuration (IONOS SMTP)
      EMAIL_HOST: ${EMAIL_SMTP_HOST}
      EMAIL_PORT: ${EMAIL_SMTP_PORT}
      EMAIL_HOST_USER: ${EMAIL_SMTP_USER}
      EMAIL_HOST_PASSWORD: ${EMAIL_SMTP_PASSWORD}
      EMAIL_USE_TLS: ${TANDOOR_EMAIL_USE_TLS:-0}
      EMAIL_USE_SSL: ${TANDOOR_EMAIL_USE_SSL:-1}
      DEFAULT_FROM_EMAIL: ${EMAIL_FROM}

      # Gunicorn settings
      GUNICORN_MEDIA: ${TANDOOR_GUNICORN_MEDIA:-0}

      # Optional features
      COMMENT_PREF_DEFAULT: ${TANDOOR_COMMENT_PREF_DEFAULT:-1}
      SHOPPING_MIN_AUTOSYNC_INTERVAL: ${TANDOOR_SHOPPING_MIN_AUTOSYNC_INTERVAL:-5}

    volumes:
      - tandoor_staticfiles:/opt/recipes/staticfiles
      - tandoor_mediafiles:/opt/recipes/mediafiles

    depends_on:
      - postgres

    networks:
      - compose_network

    labels:
      - 'traefik.enable=${TANDOOR_TRAEFIK_ENABLED}'
      # HTTP to HTTPS redirect
      - 'traefik.http.middlewares.${TANDOOR_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web.middlewares=${TANDOOR_COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web.rule=Host(`${TANDOOR_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      # HTTPS router
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${TANDOOR_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      - 'traefik.http.routers.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure-compress,security-headers@file'
      # Service
      - 'traefik.http.services.${TANDOOR_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=80'
      - 'traefik.docker.network=${NETWORK_NAME}'
      # Watchtower
      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'

volumes:
  tandoor_staticfiles:
    name: ${TANDOOR_COMPOSE_PROJECT_NAME}_staticfiles
  tandoor_mediafiles:
    name: ${TANDOOR_COMPOSE_PROJECT_NAME}_mediafiles

networks:
  compose_network:
    name: ${NETWORK_NAME}
    external: true