services:
  db:
    image: postgres:15-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: defguard
      POSTGRES_USER: defguard
      POSTGRES_PASSWORD: ${DEFGUARD_DB_PASSWORD}
    volumes:
      - ${VOLUME_DIR:-./.volumes}/db:/var/lib/postgresql/data
    # ports:
     # - "5432:5432"


  core:
    image: ghcr.io/defguard/defguard:${CORE_IMAGE_TAG:-latest}
    restart: unless-stopped
    environment:
      DEFGUARD_AUTH_SECRET: ${DEFGUARD_AUTH_SECRET}
      DEFGUARD_GATEWAY_SECRET: ${DEFGUARD_GATEWAY_SECRET}
      DEFGUARD_YUBIBRIDGE_SECRET: ${DEFGUARD_YUBIBRIDGE_SECRET}
      DEFGUARD_SECRET_KEY: ${DEFGUARD_SECRET_KEY}
      DEFGUARD_DEFAULT_ADMIN_PASSWORD: ${DEFGUARD_DEFAULT_ADMIN_PASSWORD}
      DEFGUARD_DB_HOST: db
      DEFGUARD_DB_PORT: 5432
      DEFGUARD_DB_USER: defguard
      DEFGUARD_DB_PASSWORD: ${DEFGUARD_DB_PASSWORD}
      DEFGUARD_DB_NAME: defguard
      DEFGUARD_URL: ${DEFGUARD_URL}
      DEFGUARD_LOG_LEVEL: info
      DEFGUARD_WEBAUTHN_RP_ID: ${DEFGUARD_WEBAUTHN_RP_ID}
      DEFGUARD_COOKIE_INSECURE: ${DEFGUARD_COOKIE_INSECURE:-false}
      DEFGUARD_ENROLLMENT_URL: ${DEFGUARD_ENROLLMENT_URL}  # [ENROLLMENT]
      DEFGUARD_PROXY_URL: http://proxy:50052  # [ENROLLMENT]
      DEFGUARD_PROXY_GRPC_CA: /ssl/defguard-ca.pem  # [ENROLLMENT]
      DEFGUARD_GRPC_CERT: /ssl/defguard-grpc.crt
      DEFGUARD_GRPC_KEY: /ssl/defguard-grpc.key
      ## RSA setup guide: https://defguard.gitbook.io/defguard/community-features/setting-up-your-instance/docker-compose#openid-rsa-setup
      DEFGUARD_OPENID_KEY: /keys/rsakey.pem
      ## LDAP setup guide: https://defguard.gitbook.io/defguard/features/ldap-synchronization-setup
      # DEFGUARD_LDAP_URL: ldap://localhost:389 # [LDAP]
      # DEFGUARD_LDAP_BIND_USERNAME: cn=admin,dc=example,dc=org # [LDAP]
      # DEFGUARD_LDAP_BIND_PASSWORD: password # [LDAP]
    ports:
      # web
      - "8850:8000"
      # grpc
      - "50055:50055"
    depends_on:
      - db
    volumes:
      # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl
      ## RSA setup guide: https://defguard.gitbook.io/defguard/community-features/setting-up-your-instance/docker-compose#openid-rsa-setup
      - ${VOLUME_DIR:-./.volumes}/core/rsakey.pem:/keys/rsakey.pem
  proxy:  # [ENROLLMENT]
    image: ghcr.io/defguard/defguard-proxy:${PROXY_IMAGE_TAG:-latest}  # [ENROLLMENT]
    restart: unless-stopped  # [ENROLLMENT]
    environment:  # [ENROLLMENT]
      DEFGUARD_PROXY_GRPC_PORT: 50052  # [ENROLLMENT]
      DEFGUARD_PROXY_GRPC_CERT: /ssl/defguard-proxy-grpc.crt  # [ENROLLMENT]
      DEFGUARD_PROXY_GRPC_KEY: /ssl/defguard-proxy-grpc.key  # [ENROLLMENT]
    volumes:  # [ENROLLMENT]
   # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl  # [ENROLLMENT]
    ports:
       # web
      - "8080:8080"
    depends_on:  # [ENROLLMENT]
      - core  # [ENROLLMENT]

  gateway:
    image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest}
    restart: unless-stopped
    network_mode: "host"
    environment:
      DEFGUARD_GRPC_URL: https://localhost:50055
      DEFGUARD_GRPC_CA: /ssl/defguard-ca.pem
      DEFGUARD_STATS_PERIOD: 30
      DEFGUARD_TOKEN: ${DEFGUARD_TOKEN}
    volumes:
  # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl
    cap_add:
      - NET_ADMIN