# Password Pusher - Docker Compose
#
# --- Quick start (recommended) ---
# The most important setup step is setting `TLS_DOMAIN` so Password Pusher
# automatically provisions and renews HTTPS/TLS certificates (Let's Encrypt).
#
# 1) Point your domain DNS to this host.
# 2) Set `TLS_DOMAIN` below (example: `TLS_DOMAIN: "pwpush.example.com"`).
# 3) Start:
#      docker compose up -d
# 4) Open:
#      https://pwpush.example.com
# 5) Stop:
#      docker compose down

x-env: &x-env
  environment:
    # --- Overview ---
    # Sensible defaults are set below; the app runs out of the box.
    # Standard approach: configure by setting values directly in this `environment` block.
    # Optional approach: keep values in an external `.env` file (enable `env_file` below).
    #
    # All configuration options below are described in more detail in the Password Pusher Configuration documentation:
    # https://docs.pwpush.com/docs/self-hosted-configuration/
    #
    # --- Most common settings ---
    # TLS_DOMAIN: ""            # Strongly recommended: enables automatic HTTPS/TLS via Let's Encrypt
    # PWPUSH_MASTER_KEY: ""     # Set your own encryption key (recommended)
    # SMTP settings below       # Required for account emails/logins

    # --- Security & TLS ---
    # PWPUSH_MASTER_KEY: This sets the encryption key for the database. If omitted, a default encryption key is used.
    # For production, generate your own key and set it here so encrypted pushes use your key.
    # For key rotation, put old encryption key(s) in PWPUSH_MASTER_KEY_PREVIOUS (comma-separated).
    # Generate a new key here: https://us.pwpush.com/generate_key
    # PWPUSH_MASTER_KEY: ""
    #
    # TLS_DOMAIN: For automatic TLS/SSL (e.g. HTTPS via Let's Encrypt), create a DNS record that
    #   points to this host, then set this env var to that domain (e.g. pwpush.example.com).
    #   The container will provision and renew certificates automatically.
    #   This is the key setting for a production-like HTTPS setup.
    # TLS_DOMAIN: ""

    # --- Features ---
    # PWP__ENABLE_URL_PUSHES: "true"
    # PWP__ENABLE_FILE_PUSHES: "true"
    # PWP__ENABLE_QR_PUSHES: "true"
    # PWP__ALLOW_ANONYMOUS: "true"

    # --- Deployment & URL ---
    # PWP__HOST_DOMAIN: ""
    # PWP__HOST_PROTOCOL: "https"
    # PWP__OVERRIDE_BASE_URL: ""
    # PWP__ALLOWED_HOSTS: ""
    # PWP__TRUSTED_PROXIES: ""
    # PWP__CLOUDFLARE_PROXY: "false"

    # --- Authentication ---
    # PWP__LOGIN_SESSION_TIMEOUT: "2 hours"
    # PWP__DISABLE_SIGNUPS: "false"
    # PWP__DISABLE_LOGINS: "false"
    # PWP__SIGNUP_EMAIL_REGEXP: ""
    # PWP__ENABLE_USER_ACCOUNT_EMAILS: "false"  # Make sure to set SMTP settings below first or error 500s shall be granted to you!

    # --- Mail (required for logins / account emails) ---
    # See the documentation: https://docs.pwpush.com/docs/self-hosted-configuration/#smtp-when-you-need-mail
    # PWP__MAIL__RAISE_DELIVERY_ERRORS: "false"
    # PWP__MAIL__SMTP_ADDRESS: ""
    # PWP__MAIL__SMTP_DOMAIN: ""
    # PWP__MAIL__SMTP_PORT: "587"
    # PWP__MAIL__SMTP_AUTHENTICATION: ""
    # PWP__MAIL__SMTP_USER_NAME: ""
    # PWP__MAIL__SMTP_PASSWORD: ""
    # PWP__MAIL__SMTP_ENABLE_STARTTLS_AUTO: "true"
    # PWP__MAIL__SMTP_OPEN_TIMEOUT: "10"
    # PWP__MAIL__SMTP_READ_TIMEOUT: "10"
    # PWP__MAIL__MAILER_SENDER: ""

    # --- Push: password (pw) ---
    # PWP__PW__EXPIRE_AFTER_DAYS_DEFAULT: "7"
    # PWP__PW__EXPIRE_AFTER_DAYS_MIN: "1"
    # PWP__PW__EXPIRE_AFTER_DAYS_MAX: "90"
    # PWP__PW__EXPIRE_AFTER_VIEWS_DEFAULT: "5"
    # PWP__PW__EXPIRE_AFTER_VIEWS_MIN: "1"
    # PWP__PW__EXPIRE_AFTER_VIEWS_MAX: "100"
    # PWP__PW__ENABLE_RETRIEVAL_STEP: "true"
    # PWP__PW__RETRIEVAL_STEP_DEFAULT: "false"
    # PWP__PW__ENABLE_DELETABLE_PUSHES: "true"
    # PWP__PW__DELETABLE_PUSHES_DEFAULT: "true"
    # PWP__PW__ENABLE_BLUR: "true"

    # --- Push: URL ---
    # PWP__URL__EXPIRE_AFTER_DAYS_DEFAULT: "7"
    # PWP__URL__EXPIRE_AFTER_VIEWS_DEFAULT: "5"
    # PWP__URL__ENABLE_RETRIEVAL_STEP: "true"
    # PWP__URL__RETRIEVAL_STEP_DEFAULT: "false"

    # --- Push: files ---
    PWP__FILES__STORAGE: "local" # See: https://docs.pwpush.com/docs/self-hosted-configuration/#file-storage-backends
    # PWP__FILES__EXPIRE_AFTER_DAYS_DEFAULT: "7"
    # PWP__FILES__EXPIRE_AFTER_VIEWS_DEFAULT: "5"
    # PWP__FILES__ENABLE_RETRIEVAL_STEP: "true"
    # PWP__FILES__RETRIEVAL_STEP_DEFAULT: "false"
    # PWP__FILES__ENABLE_DELETABLE_PUSHES: "true"
    # PWP__FILES__DELETABLE_PUSHES_DEFAULT: "true"
    # PWP__FILES__BLUR: "true"
    # PWP__FILES__MAX_FILE_UPLOADS: "10"
    # S3: PWP__FILES__S3__ENDPOINT, ACCESS_KEY_ID, SECRET_ACCESS_KEY, REGION, BUCKET
    # GCS: PWP__FILES__GCS__PROJECT, CREDENTIALS, BUCKET, IAM, GSA_EMAIL
    # Azure: PWP__FILES__AS__STORAGE_ACCOUNT_NAME, STORAGE_ACCESS_KEY, CONTAINER

    # --- Push: QR ---
    # PWP__QR__EXPIRE_AFTER_DAYS_DEFAULT: "7"
    # PWP__QR__EXPIRE_AFTER_VIEWS_DEFAULT: "5"
    # PWP__QR__ENABLE_RETRIEVAL_STEP: "true"
    # PWP__QR__RETRIEVAL_STEP_DEFAULT: "false"
    # PWP__QR__ENABLE_DELETABLE_PUSHES: "true"
    # PWP__QR__DELETABLE_PUSHES_DEFAULT: "true"

    # --- Password generator (gen) ---
    # PWP__GEN__HAS_NUMBERS: "true"
    # PWP__GEN__TITLE_CASED: "true"
    # PWP__GEN__USE_SEPARATORS: "true"
    # PWP__GEN__CONSONANTS: ""
    # PWP__GEN__VOWELS: ""
    # PWP__GEN__SEPARATORS: ""
    # PWP__GEN__MAX_SYLLABLE_LENGTH: "3"
    # PWP__GEN__MIN_SYLLABLE_LENGTH: "1"
    # PWP__GEN__SYLLABLES_COUNT: "3"

    # --- Branding & UI ---
    # PWP__BRAND__TITLE: ""
    # PWP__BRAND__TAGLINE: ""
    # PWP__BRAND__DISCLAIMER: ""
    # PWP__BRAND__SHOW_FOOTER_MENU: "true"
    # PWP__SHOW_VERSION: "true"
    # PWP__SHOW_GDPR_CONSENT_BANNER: "false"
    # PWP__THEME: "default" # See: https://docs.pwpush.com/docs/rebranding/#themes
    # PWP_PRECOMPILE: "false"  # DEPRECATED. Precompilation now happens automatically when PWP__THEME is set. Keeping for backward compatibility.

    # --- Locale ---
    # PWP__DEFAULT_LOCALE: "en"

    # --- Security & infra ---
    # PWP__SECURE_COOKIES: "false"
    # PWP__THROTTLING__MINUTE: "120"
    # PWP__THROTTLING__SECOND: "60"
    # PWP__PURGE_AFTER: "disabled"

    # --- Logging ---
    # PWP__LOG_LEVEL: "warn"
    # PWP__LOG_TO_STDOUT: "true"

    # --- Docker / process ---
    # PWP__NO_WORKER: "true"   # Web only (no background worker)

services:
  pwpush:
    # "latest" is mostly reliable; use "stable" for well tested releases.
    image: docker.io/pglombardo/pwpush:latest
    restart: unless-stopped
    ports:
      - "443:443"
      # - "80:80" # To support older browsers
      # - "5100:5100" # High port if you host pwpush behind a proxy (HTTP)
    platform: linux/amd64
    volumes:
      - pwpush-storage:/opt/PasswordPusher/storage
      # Example host bind mount instead of named volume:
      # - ./pwpush-storage:/opt/PasswordPusher/storage
    healthcheck:
      # Inside the container, the app listens on port 5100.
      # Port 443 above is the externally exposed HTTPS endpoint.
      test: ["CMD", "curl", "-f", "http://localhost:5100/up"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    <<: *x-env
    # Optional external env file support (alternative to setting values above directly).
    # env_file:
    #   - .env

# Persists SQLite DB and file uploads. To use a host path instead, replace the
# pwpush-storage service volume with: - /path/on/host:/opt/PasswordPusher/storage
volumes:
  pwpush-storage:
    driver: local