services:
  web:
    image: ghcr.io/karakeep-app/karakeep:${KARAKEEP_VERSION:-release}
    restart: unless-stopped
    container_name: karakeep_web
    networks:
      - proxy-net
    volumes:
      # By default, the data is stored in a docker volume called "data".
      # If you want to mount a custom directory, change the volume mapping to:
      # - /path/to/your/directory:/data
      - /mnt/appdata/karakeep/data:/data
    ports:
      - 3000:3000
    env_file:
      - .env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.karakeep.entrypoints=websecure"
      - "traefik.http.routers.karakeep.rule=Host(`keep.castaldifamily.com`)"
      - "traefik.http.routers.karakeep.tls=true"
      - "traefik.http.routers.karakeep.tls.certresolver=cloudflare"
      - "traefik.http.services.karakeep.loadbalancer.server.port=3000"
    environment:
      MEILI_ADDR: http://meilisearch:7700
      BROWSER_WEB_URL: http://chrome:9222
      DISABLE_SIGNUPS: ${DISABLE_SIGNUPS}	#If enabled, no new signups will be allowed and the signup button will be disabled in the UI
      DISABLE_PASSWORD_AUTH: ${DISABLE_PASSWORD_AUTH}	#If enabled, only signups and logins using OAuth are allowed and the signup button and login form for local accounts will be disabled in the UI
      EMAIL_VERIFICATION_REQUIRED: ${EMAIL_VERIFICATION_REQUIRED}	#Whether email verification is required during user signup. If enabled, users must verify their email address before they can use their account. If you enable this, you must configure SMTP settings.
      OAUTH_AUTO_REDIRECT: ${OAUTH_AUTO_REDIRECT}	#If enabled and password authentication is disabled, automatically redirect to the OAuth provider instead of showing the login page. Useful when OAuth is the only authentication method available.
      OAUTH_WELLKNOWN_URL: ${OAUTH_WELLKNOWN_URL}	#The "wellknown Url" for openid-configuration as provided by the OAuth provider
      OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET} #The "Client Secret" as provided by the OAuth provider
      OAUTH_CLIENT_IDX: ${OAUTH_CLIENT_ID} #The "Client ID" as provided by the OAuth provider
      OAUTH_SCOPE: ${OAUTH_SCOPE}	#Full list of scopes to request (space delimited)"
      OAUTH_PROVIDER_NAME: ${OAUTH_PROVIDER_NAME}	#The name of your provider. Will be shown on the signup page as "Sign in with <name>"
      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: ${OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING}	#Whether existing accounts in karakeep stored in the database should automatically be linked with your OAuth account. Only enable it if you trust the OAuth provider!
      OAUTH_TIMEOUT: ${OAUTH_TIMEOUT}	#The wait time in milliseconds for the OAuth provider response. Increase this if you are having outgoing request timed out errors
      # OPENAI_API_KEY: ...

      # You almost never want to change the value of the DATA_DIR variable.
      # If you want to mount a custom directory, change the volume mapping above instead.
      DATA_DIR: /data # DON'T CHANGE THIS
  chrome:
    image: gcr.io/zenika-hub/alpine-chrome:124
    restart: unless-stopped
    container_name: karakeep_chrome
    networks:
      - proxy-net
    command:
      - --no-sandbox
      - --disable-gpu
      - --disable-dev-shm-usage
      - --remote-debugging-address=0.0.0.0
      - --remote-debugging-port=9222
      - --hide-scrollbars
  meilisearch:
    image: getmeili/meilisearch:v1.41.0
    restart: unless-stopped
    container_name: karakeep_meilisearch
    env_file:
      - .env
    networks:
      - proxy-net
    environment:
      MEILI_NO_ANALYTICS: "true"
    volumes:
      - /mnt/appdata/karakeep/meilisearch:/meili_data

networks:
  proxy-net:
    external: true