services:
  peertube:
    image: chocobozzz/peertube:production-bookworm
    container_name: peertube
    networks:
      - proxy
    ports:
      - "1935"
    depends_on:
      postgres-peertube:
        condition: service_healthy
      redis-peertube:
        condition: service_started
    environment: 
      - PEERTUBE_DB_USERNAME=${POSTGRES_USER}
      - PEERTUBE_DB_PASSWORD=${POSTGRES_PASSWORD}
      - PEERTUBE_DB_SSL=false
      - PEERTUBE_DB_HOSTNAME=postgres-peertube
      - PEERTUBE_REDIS_HOSTNAME=redis-peertube
      - PEERTUBE_WEBSERVER_HOSTNAME=${PEERTUBE_HOSTNAME}
      - PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback", "172.18.0.0/16"]
      - PEERTUBE_SECRET=${PEERTUBE_SECRET}
      - PEERTUBE_ADMIN_EMAIL=${PEERTUBE_ADMIN_EMAIL}
      - PT_INITIAL_ROOT_PASSWORD=${PT_INITIAL_ROOT_PASSWORD}
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_DISCOVER_URL=https://auth.chatons.duckdns.org/realms/chatons/.well-known/openid-configuration
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_CLIENT_ID=peertube
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_CLIENT_SECRET=${PEERTUBE_OIDC_CLIENT_SECRET}
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_SCOPE=openid profile email
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_USERNAME_PROPERTY=preferred_username
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_MAIL_PROPERTY=email
      - PEERTUBE_PLUGIN_AUTH_OPENID_CONNECT_DISPLAY_NAME_PROPERTY=name
    volumes: 
      - peertube-data:/data
      - peertube-config:/config
    security_opt:
      - no-new-privileges:true

  postgres-peertube:
    image: library/postgres
    container_name: peertube-db
    read_only: true
    environment: 
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=peertube
    tmpfs:
      - /tmp
      - /run/postgresql
    volumes: 
      - postgres-peer-data:/var/lib/postgresql
    networks: 
      - proxy
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d peertube"]
      interval: 5s
      timeout: 5s
      retries: 5
    security_opt:
      - no-new-privileges:true

  redis-peertube:
    image: library/redis
    container_name: peertube-redis
    read_only: true
    tmpfs:
      - /tmp
    volumes:
      - redis-peer-data:/data
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true


volumes: 
  peertube-data:
    name: peertube-data
  peertube-config: 
    name: peertube-config
  postgres-peer-data:
    name: postgres-peer-data
  redis-peer-data: 
    name: redis-peer-data

networks:
  proxy:
    name: proxy
    external: true