services:
  mongodb:
    image: mongo:{{ mongodb_version }}
    container_name: graylog-mongodb
    restart: unless-stopped
    volumes:
      - {{ graylog_data_dir }}/data/mongodb:/data/db
    networks:
      - internal

  opensearch:
    image: opensearchproject/opensearch:{{ opensearch_version }}
    container_name: graylog-opensearch
    restart: unless-stopped
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
      - "discovery.type=single-node"
      - "action.auto_create_index=false"
      - "plugins.security.ssl.http.enabled=false"
      - "plugins.security.disabled=true"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=changeme_os_admin"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - {{ graylog_data_dir }}/opensearch:/usr/share/opensearch/data
    networks:
      - internal

  graylog:
    image: graylog/graylog:{{ graylog_version }}
    container_name: graylog
    restart: unless-stopped
    depends_on:
      - mongodb
      - opensearch
    environment:
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      GRAYLOG_PASSWORD_SECRET: "{{ graylog_password_secret }}"
      GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_password_sha2 }}"
      GRAYLOG_HTTP_EXTERNAL_URI: "https://{{ graylog_domain }}/"
      GRAYLOG_TRANSPORT_EMAIL_ENABLED: "true"
      GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: "{{ smtp_host }}"
      GRAYLOG_TRANSPORT_EMAIL_PORT: "{{ smtp_port }}"
      GRAYLOG_TRANSPORT_EMAIL_FROM_EMAIL: "{{ smtp_from }}"
    ports:
      - "127.0.0.1:9000:9000"
      - "0.0.0.0:12201:12201/udp"   # GELF UDP - must be accessible from all containers
    volumes:
      - {{ graylog_data_dir }}/data/graylog:/usr/share/graylog/data
      - {{ graylog_data_dir }}/config:/usr/share/graylog/data/config
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.graylog.rule=Host(`{{ graylog_domain }}`)"
      - "traefik.http.routers.graylog.tls=true"
      - "traefik.http.routers.graylog.tls.certresolver=letsencrypt"
      - "traefik.http.services.graylog.loadbalancer.server.port=9000"
    networks:
      - internal
      - {{ sovereign_network_name }}

networks:
  internal:
  {{ sovereign_network_name }}:
    external: true