services:
  db:
    image: postgres:16    
    restart: always
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=keycloak
    networks:
      - default 
    volumes:
      - {{ service_directory }}/data/db:/var/lib/postgresql/data

  keycloak:
    image: quay.io/keycloak/keycloak:26.4.0
    environment:
      - USER_UID={{ service_user_id }}
      - USER_GID={{ service_group_id }}
      
      # Admin-Bootstrap
      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
      - KC_BOOTSTRAP_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}

      # DB
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://db:5432/keycloak
      - KC_DB_USERNAME=${DB_USER}
      - KC_DB_PASSWORD=${DB_PASSWORD}

      # Reverse-Proxy / Hostname
      - KC_HOSTNAME=auth.lehmannhaus.de           # <- deine Domain
      - KC_PROXY=edge                          # erwartet TLS am Proxy
      - KC_HTTP_ENABLED=true              # intern Klartext (NPM macht TLS)
      - KC_HOSTNAME_STRICT_HTTPS=true

      # optional: Health/Metrics
      - KC_HEALTH_ENABLED=true
      - KC_METRICS_ENABLED=true
    
    restart: always
    volumes:
      - {{ service_directory }}/data/keycloak:/opt/keycloak/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "8080:8080"
    depends_on:
      db:
    command: ["start"]
    networks:
      - default

networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: 172.10.0.0/16
          gateway: 172.10.0.1