# TinyCld — single-container Docker Compose setup
#
# Quick start (production, public domain):
#
#   1. Point your domain's A record at this server's IP.
#   2. Set PRIMARY_DOMAIN and AUTOCERT_ENABLED: "true" below.
#   3. Run:
#        docker compose up -d
#
# Local demo / behind a reverse proxy:
#
#   - Leave AUTOCERT_ENABLED unset/false (plain HTTP on :7090).
#   - Visit http://localhost:7090.
#   - Behind a proxy, set PRIMARY_DOMAIN so the printed setup URL is correct.
#
# Updates:   docker compose pull && docker compose up -d
# Logs:      docker compose logs -f
# Backup:    tar -czf tinycld-backup.tgz ./pb_data
#
# Data lives in ./pb_data (host bind mount) — back this up.
#
# Image footprint: ~600 MB compressed (~2.5 GB uncompressed). Includes
# the Go toolchain + Node runtime for the optional in-app package installer.

services:
  tinycld:
    image: ghcr.io/tinycld/tinycld:latest
    container_name: tinycld
    restart: unless-stopped

    # Domain / TLS config. Set AUTOCERT_ENABLED: "true" with PRIMARY_DOMAIN to
    # enable autocert HTTPS on ports 80/443. Leave AUTOCERT_ENABLED empty/false
    # to serve plain HTTP on :7090 — useful for local demos (mapped to host
    # :7090 below) or behind an external reverse proxy.
    environment:
      # Canonical domain: cert primary SAN + the printed setup URL. Set this
      # even in reverse-proxy mode so the setup URL points at your real host.
      PRIMARY_DOMAIN: ""
      # Extra cert domains, comma-separated (only used when autocert is on).
      # Example: ADDITIONAL_DOMAINS: "www.tinycld.example.com,app.tinycld.example.com"
      ADDITIONAL_DOMAINS: ""
      # "true" to provision Let's Encrypt certs and bind :80/:443 directly.
      AUTOCERT_ENABLED: ""
      # Reverse-proxy mode only (autocert off): scheme for the user-facing
      # setup URL — "https" (default) if your proxy terminates TLS, else "http".
      # PUBLIC_SCHEME: "https"

      # Optional: error reporting
      # SENTRY_DSN: ""

      # Optional: mail delivery (choose one)
      # POSTMARK_SERVER_TOKEN: ""
      # POSTMARK_ACCOUNT_TOKEN: ""

      # Optional: web push notifications
      # VAPID_PUBLIC_KEY: ""
      # VAPID_SUBJECT: "mailto:you@example.com"

    ports:
      # 80 + 443: HTTPS via autocert when AUTOCERT_ENABLED=true (with
      # PRIMARY_DOMAIN). The container only binds these if autocert is on;
      # otherwise these host-port mappings are harmless no-ops.
      - "80:80"
      - "443:443"
      # 7090: plain HTTP fallback used when autocert is off (local demos or
      # behind an external reverse proxy that upstreams to this port). Remap
      # the host side if 7090 conflicts on your host — e.g. "18080:7090" to
      # expose on host port 18080.
      - "7090:7090"
      # 993: IMAPS (implicit TLS). Comment out if you're not running the mail
      # package or if dovecot/postfix is already bound to it on the host.
      - "993:993"
      # 465: SMTPS (implicit TLS). Comment out if you're not running the mail
      # package or if postfix is already bound to it on the host.
      - "465:465"

    volumes:
      # Persistent data: PocketBase records, uploads, migrations state.
      # Everything stateful lives here — back this directory up.
      - ./pb_data:/app/pb_data
      # Generated TypeScript types (pbSchema, pbZodSchema). Small, regenerated on migrations.
      - ./types:/app/types