version: "3.9"

services:
  broker:
    image: docker.io/library/redis:7
    restart: unless-stopped
    volumes:
      - redisdata:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 3s
      retries: 5
    networks:
      - web

  db:
    image: docker.io/library/postgres:15
    restart: unless-stopped
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperless
      POSTGRES_PASSWORD: paperless
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - web

  webserver:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - db
      - broker
    ports:
      - "8000:8000"
    volumes:
      - data:/usr/src/paperless/data
      - media:/usr/src/paperless/media
      - ./export:/usr/src/paperless/export
      - ./consume:/usr/src/paperless/consume
    environment:
      PAPERLESS_DBHOST: db
      PAPERLESS_DBNAME: paperless
      PAPERLESS_DBUSER: paperless
      PAPERLESS_DBPASS: paperless
      PAPERLESS_REDIS: redis://broker:6379/0
      PAPERLESS_TIME_ZONE: "America/Chicago"
      PAPERLESS_SECRET_KEY: "replace-with-a-64-char-random-string"
      PAPERLESS_ADMIN_USER: admin@example.local
      PAPERLESS_ADMIN_PASSWORD: changeme
      PAPERLESS_ALLOWED_HOSTS: '["paperless.sj98.duckdns.org"]'
      PAPERLESS_CSRF_TRUSTED_ORIGINS: '["https://paperless.sj98.duckdns.org"]'

       # Add / adjust these for running behind Traefik:
      PAPERLESS_URL: "https://paperless.sj98.duckdns.org"          # required/preferred
      PAPERLESS_PROXY_SSL_HEADER: '["HTTP_X_FORWARDED_PROTO","https"]'  # tells Django to treat X-Forwarded-Proto=https as TLS
      PAPERLESS_USE_X_FORWARD_HOST: "true"                         # optional, can help URL generation
      PAPERLESS_USE_X_FORWARD_PORT: "true"                         # optional
      # Optional: restrict trusted proxies to your docker network or Traefik IP
      # PAPERLESS_TRUSTED_PROXIES: "172.18.0.0/16"   # <-- replace with your web network subnet or Traefik IP if you want to lock down
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.paperless.rule=Host(`paperless.sj98.duckdns.org`)"
      - "traefik.http.routers.paperless.entrypoints=websecure"
      - "traefik.http.routers.paperless.tls=true"
      - "traefik.http.routers.paperless.tls.certresolver=duckdns"
      - "traefik.http.services.paperless.loadbalancer.server.port=8000"
      - "tsdproxy.enable=true"
      - "tsdproxy.name=paperless"

volumes:
  data:
  media:
  pgdata:
  redisdata:

networks:
  web:
    external: true