version: "3"

services:

  app:

    image: quay.io/hedgedoc/hedgedoc:1.7.2-debian
    restart: always
    depends_on:
      - db
    environment:
      CMD_DB_URL: "mysql://hackmd:{{ mysql_user_pass }}@db:3306/hackmd"
      CMD_SESSION_SECRET: "{{ hackmd_session_secret }}"
      CMD_ALLOW_ANONYMOUS: "true"
      CMD_ALLOW_ANONYMOUS_EDITS: "true"
      CMD_DEFAULT_PERMISSION: "freely"
      CMD_ALLOW_FREEURL: "true"
      CMD_LDAP_URL: "ldap://{{ ldap_ip_ext }}:389"
      CMD_LDAP_BINDDN: "{{ ldap_readonly_bind_dn }}"
      CMD_LDAP_BINDCREDENTIALS: "{{ ldap_readonly_pass }}"
      CMD_LDAP_SEARCHBASE: "{{ ldap_base_dn }}"
      CMD_LDAP_SEARCHFILTER: "(&(uid={% raw %}{{username}}{% endraw %})(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))"
      CMD_LDAP_SEARCHATTRIBUTES: "uid"
      CMD_LDAP_USERIDFIELD: "uid"
      CMD_LDAP_USERNAMEFIELD: "uid"
      CMD_EMAIL: "false"
    labels:
      - traefik.enable=true
      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=3000
    networks:
      - default
      - web


  db:

    image: mariadb:10.5.8
    restart: always
    volumes:
      - /srv/hackmd/db:/var/lib/mysql
      - /srv/hackmd/mysql-utf8.cnf:/etc/mysql/conf.d/utf8.cnf
    environment:
      MYSQL_ROOT_PASSWORD: "{{ mysql_root_pass }}"
      MYSQL_PASSWORD: "{{ mysql_user_pass }}"
      MYSQL_DATABASE: "hackmd"
      MYSQL_USER: "hackmd"
    networks:
      - default

networks:
  web:
    external: true