# =============================================================================
# Organization Stack - Docker Compose Configuration
# =============================================================================
# Defines six core services and their dependencies:
#   1. lldap - Lightweight LDAP directory for user management
#   2. Authelia - SSO authentication server with 2FA support
#   3. Gitea - Self-hosted Git service (uses OIDC for authentication)
#   4. JSPWiki - Wiki platform (uses forward-auth for authentication)
#   5. Registration - User self-provisioning service (forward-auth for admin)
#   6. Caddy - Reverse proxy with automatic HTTPS
# =============================================================================

services:
  # ===========================================================================
  # lldap - Lightweight LDAP Directory
  # ===========================================================================
  # Centralized user and group management
  # All user credentials are stored here; other services authenticate against it
  # Accessible only via Caddy (web UI) and internal Docker network (LDAP protocol)
  lldap:
    image: lldap/lldap:stable
    container_name: lldap
    environment:
      - UID=${USER_UID:-1000}
      - GID=${USER_GID:-1000}
      - TZ=${TZ:-UTC}
      - LLDAP_JWT_SECRET_FILE=/secrets/JWT_SECRET
      - LLDAP_LDAP_USER_PASS_FILE=/secrets/LDAP_USER_PASS
      - LLDAP_LDAP_BASE_DN=${LDAP_BASE_DN}
    volumes:
      - lldap_data:/data                     # Persistent LDAP database
      - ./secrets/lldap:/secrets:ro          # Read-only secrets mount
    networks:
      - org-network
    restart: unless-stopped

  # ===========================================================================
  # Authelia - SSO Authentication & Authorization Server
  # ===========================================================================
  # Provides single sign-on, two-factor authentication, and access control
  # Acts as both OIDC provider (for Gitea) and forward-auth endpoint (for Wiki/lldap)
  # Accessible only via Caddy and internal Docker network
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    environment:
      - TZ=${TZ:-UTC}
      # All secrets loaded from files for security
      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/RESET_PASSWORD_JWT_SECRET
      - AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/secrets/OIDC_HMAC_SECRET
      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/OIDC_PRIVATE_KEY
      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets-lldap/LDAP_USER_PASS
      # SMTP configuration (for email notifications - see SMTP_SETUP.md)
      - SMTP_HOST=${SMTP_HOST:-localhost}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER:-}
      - SMTP_PASSWORD=${SMTP_PASSWORD:-}
      - SMTP_FROM=${SMTP_FROM:-noreply@localhost}
      - AUTH_SUBDOMAIN=${AUTH_SUBDOMAIN:-auth}
      - REGISTRATION_ADMIN_EMAIL=${REGISTRATION_ADMIN_EMAIL:-}
    volumes:
      - ./authelia/configuration.yml:/config/configuration.yml:ro
      - ./secrets/authelia:/secrets:ro       # Authelia's own secrets
      - ./secrets/lldap:/secrets-lldap:ro    # lldap password for LDAP auth
      - authelia_data:/data                  # Sessions, 2FA registrations
    networks:
      - org-network
    restart: unless-stopped
    depends_on:
      - lldap

  # ===========================================================================
  # Gitea - Self-Hosted Git Service
  # ===========================================================================
  # Git repository hosting with web UI
  # Uses OIDC to authenticate users through Authelia (SSO)
  # Web interface accessible only via Caddy
  # SSH exposed for Git operations (git clone, push, pull)
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    ports:
      - "${GITEA_SSH_PORT:-2222}:22"         # Git SSH access (required for git operations)
    environment:
      - USER_UID=${USER_UID:-1000}
      - USER_GID=${USER_GID:-1000}
      - GITEA__database__DB_TYPE=sqlite3
      - GITEA__server__DOMAIN=${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
      - GITEA__server__ROOT_URL=https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
      - GITEA__server__SSH_DOMAIN=${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
      - GITEA__server__SSH_PORT=${GITEA_SSH_PORT:-2222}
      - GITEA__oauth2_client__ACCOUNT_LINKING=auto
      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
      - GITEA__oauth2_client__USERNAME=preferred_username
      - GITEA__oauth2_client__OPENID_CONNECT_SCOPES=openid email profile
      - GITEA__openid__ENABLE_OPENID_SIGNIN=false
      # Trust Caddy's self-signed CA when USE_SELF_SIGNED_CERTS=true
      - SSL_CERT_FILE=/data/ca-bundle.crt
    volumes:
      - gitea_data:/data                     # Git repos, database, config
      - caddy_data:/caddy_data:ro            # Access Caddy's self-signed CA
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - org-network
    restart: unless-stopped
    depends_on:
      - authelia

  # ===========================================================================
  # JSPWiki - Wiki Platform
  # ===========================================================================
  # Collaborative wiki with LDAP user synchronization
  # Uses forward-auth (trusts Remote-User header from Authelia via Caddy)
  jspwiki:
    build: ./jspwiki                         # Custom image with RemoteUserFilter
    container_name: jspwiki
    environment:
      - LDAP_BASE_DN=${LDAP_BASE_DN}
    volumes:
      - jspwiki_data:/var/jspwiki            # Wiki pages and config
      - ./jspwiki-custom.properties:/usr/local/tomcat/lib/jspwiki-custom.properties:ro
      - ./jspwiki.policy:/usr/local/tomcat/webapps/ROOT/WEB-INF/jspwiki.policy:ro
      - ./secrets/lldap:/secrets-lldap:ro    # lldap admin password for sync
    networks:
      - org-network
    restart: unless-stopped
    depends_on:
      - lldap

  # ===========================================================================
  # Registration - User Self-Provisioning Service
  # ===========================================================================
  # Public registration form and admin approval dashboard
  # Public route: / (registration form)
  # Protected route: /admin (requires forward-auth via Authelia)
  # Creates approved users in lldap via LDAP protocol (ldapadd + ldappasswd)
  registration:
    build: ./registration                    # FastAPI application
    container_name: registration
    user: "${USER_UID:-1000}:${USER_GID:-1000}"
    environment:
      - DATABASE_PATH=/data/registrations.db
      - LLDAP_ADMIN_USER=admin
      - LDAP_BASE_DN=${LDAP_BASE_DN}
      - ADMIN_EMAIL=${REGISTRATION_ADMIN_EMAIL:-}
      - SMTP_ENABLED=${SMTP_ENABLED:-false}
      - SMTP_HOST=${SMTP_HOST:-localhost}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER:-}
      - SMTP_PASSWORD=${SMTP_PASSWORD:-}
      - SMTP_FROM=${SMTP_FROM:-}
      - SMTP_USE_TLS=${SMTP_USE_TLS:-true}
    volumes:
      - registration_data:/data              # SQLite database and audit log
      - ./secrets/lldap:/secrets-lldap:ro    # lldap admin password for user creation
    networks:
      - org-network
    restart: unless-stopped
    depends_on:
      - lldap
      - authelia

  # ===========================================================================
  # Caddy - Reverse Proxy with Automatic HTTPS
  # ===========================================================================
  # Terminates TLS and routes traffic to backend services
  # Automatically obtains Let's Encrypt certificates
  # Enforces authentication via forward-auth for wiki and lldap
  caddy:
    image: caddy:latest
    container_name: caddy
    ports:
      - "${HTTP_PORT:-80}:80"                # HTTP (redirects to HTTPS)
      - "${HTTPS_PORT:-443}:443"             # HTTPS
      - "${HTTPS_PORT:-443}:443/udp"         # HTTP/3 (QUIC)
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro  # Generated from template by deploy.sh
      - caddy_data:/data                     # TLS certificates
      - caddy_config:/config                 # Caddy runtime config
    networks:
      - org-network
    restart: unless-stopped
    depends_on:
      - lldap
      - authelia
      - gitea
      - jspwiki
      - registration

# =============================================================================
# Networks
# =============================================================================
# All services communicate on an internal bridge network using Docker hostnames
# External access is ONLY through Caddy reverse proxy (ports 80/443)
# Exception: Gitea SSH port for Git operations (port 2222)
# No direct access to any service - all require Authelia authentication via Caddy
networks:
  org-network:
    driver: bridge

# =============================================================================
# Volumes
# =============================================================================
# Persistent storage for all services
# Back these up regularly with: ./manage.sh backup
volumes:
  lldap_data:         # LDAP database (users, groups)
  authelia_data:      # Authentication state (sessions, 2FA registrations)
  gitea_data:         # Git repositories and Gitea database
  jspwiki_data:       # Wiki pages and attachments
  registration_data:  # Registration requests and audit log
  caddy_data:         # TLS certificates from Let's Encrypt
  caddy_config:       # Caddy runtime configuration