# Copyright (c) Mainflux
# SPDX-License-Identifier: Apache-2.0

# This docker-compose file contains optional certs services. Since it's optional, this file is
# dependent of docker-compose file from <project_root>/docker. In order to run this services, execute command:
# docker-compose -f docker/docker-compose.yml -f docker/addons/certs/docker-compose.yml up
# from project root.

version: "3.7"

networks:
  mainflux-base-net:

volumes:
  mainflux-certs-db-volume:


services:
  certs-db:
    image: postgres:13.3-alpine
    container_name: mainflux-certs-db
    restart: on-failure
    environment:
      POSTGRES_USER: ${MF_CERTS_DB_USER}
      POSTGRES_PASSWORD: ${MF_CERTS_DB_PASS}
      POSTGRES_DB: ${MF_CERTS_DB_NAME}
    networks:
      - mainflux-base-net
    volumes:
      - mainflux-certs-db-volume:/var/lib/postgresql/data

  certs:
    image: mainflux/certs:${MF_RELEASE_TAG}
    container_name: mainflux-certs
    depends_on:
      - certs-db
    restart: on-failure
    networks:
      - mainflux-base-net
    ports:
      - ${MF_CERTS_HTTP_PORT}:${MF_CERTS_HTTP_PORT}
    environment:
      MF_CERTS_LOG_LEVEL: ${MF_CERTS_LOG_LEVEL}
      MF_SDK_CERTS_URL: ${MF_SDK_CERTS_URL}
      MF_CERTS_SIGN_CA_PATH: ${MF_CERTS_SIGN_CA_PATH}
      MF_CERTS_SIGN_CA_KEY_PATH: ${MF_CERTS_SIGN_CA_KEY_PATH}
      MF_CERTS_VAULT_HOST: ${MF_CERTS_VAULT_HOST}
      MF_VAULT_PKI_INT_PATH: ${MF_VAULT_PKI_INT_PATH}
      MF_VAULT_CA_ROLE_NAME: ${MF_VAULT_CA_ROLE_NAME}
      MF_VAULT_PKI_PATH: ${MF_VAULT_PKI_PATH}
      MF_VAULT_TOKEN: ${MF_VAULT_TOKEN}
      MF_CERTS_HTTP_HOST: ${MF_CERTS_HTTP_HOST}
      MF_CERTS_HTTP_PORT: ${MF_CERTS_HTTP_PORT}
      MF_CERTS_HTTP_SERVER_CERT: ${MF_CERTS_HTTP_SERVER_CERT}
      MF_CERTS_HTTP_SERVER_KEY: ${MF_CERTS_HTTP_SERVER_KEY}
      MF_CERTS_DB_HOST: ${MF_CERTS_DB_HOST}
      MF_CERTS_DB_PORT: ${MF_CERTS_DB_PORT}
      MF_CERTS_DB_PASS: ${MF_CERTS_DB_PASS}
      MF_CERTS_DB_USER: ${MF_CERTS_DB_USER}
      MF_CERTS_DB_NAME: ${MF_CERTS_DB_NAME}
      MF_CERTS_DB_SSL_MODE: ${MF_CERTS_DB_SSL_MODE}
      MF_CERTS_DB_SSL_CERT: ${MF_CERTS_DB_SSL_CERT}
      MF_CERTS_DB_SSL_KEY: ${MF_CERTS_DB_SSL_KEY}
      MF_CERTS_DB_SSL_ROOT_CERT: ${MF_CERTS_DB_SSL_ROOT_CERT}
      MF_AUTH_GRPC_URL: ${MF_AUTH_GRPC_URL}
      MF_AUTH_GRPC_TIMEOUT: ${MF_AUTH_GRPC_TIMEOUT}
      MF_AUTH_GRPC_CLIENT_CERT: ${MF_AUTH_GRPC_CLIENT_CERT:+/users-grpc-client.crt}
      MF_AUTH_GRPC_CLIENT_KEY: ${MF_AUTH_GRPC_CLIENT_KEY:+/users-grpc-client.key}
      MF_AUTH_GRPC_SERVER_CA_CERTS: ${MF_AUTH_GRPC_SERVER_CA_CERTS:+/users-grpc-server-ca.crt}
      MF_THINGS_URL: ${MF_THINGS_URL}
      MF_JAEGER_URL: ${MF_JAEGER_URL}
      MF_SEND_TELEMETRY: ${MF_SEND_TELEMETRY}
      MF_CERTS_INSTANCE_ID: ${MF_CERTS_INSTANCE_ID}
    volumes:
      - ../../ssl/certs/ca.key:/etc/ssl/certs/ca.key
      - ../../ssl/certs/ca.crt:/etc/ssl/certs/ca.crt
      - type: bind
        source: ${MF_ADDONS_CERTS_PATH_PREFIX}${MF_USERS_GRPC_CLIENT_CERT:-./ssl/certs/dummy/client_cert}
        target: /users-grpc-client${MF_USERS_GRPC_CLIENT_CERT:+.crt}
        bind:
          create_host_path: true
      - type: bind
        source: ${MF_ADDONS_CERTS_PATH_PREFIX}${MF_USERS_GRPC_CLIENT_KEY:-./ssl/certs/dummy/client_key}
        target: /users-grpc-client${MF_USERS_GRPC_CLIENT_KEY:+.key}
        bind:
          create_host_path: true
      - type: bind
        source: ${MF_ADDONS_CERTS_PATH_PREFIX}${MF_USERS_GRPC_SERVER_CA_CERTS:-./ssl/certs/dummy/server_ca}
        target: /users-grpc-server-ca${MF_USERS_GRPC_SERVER_CA_CERTS:+.crt}
        bind:
          create_host_path: true