services:
  twenty-db:
    image: postgres:16-alpine
    container_name: twenty-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: twenty
      POSTGRES_USER: twenty
      POSTGRES_PASSWORD: "{{ twenty_db_password }}"
    volumes:
      - {{ twenty_data_dir }}/db:/var/lib/postgresql/data
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "twenty-db"

  twenty-redis:
    image: redis:7-alpine
    container_name: twenty-redis
    restart: unless-stopped
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "twenty-redis"

  twenty-server:
    image: twentycrm/twenty:{{ twenty_version }}
    container_name: twenty-server
    restart: unless-stopped
    depends_on:
      - twenty-db
      - twenty-redis
    environment:
      SERVER_URL: "https://{{ twenty_domain }}"
      APP_SECRET: "{{ twenty_app_secret }}"
      PG_DATABASE_URL: "postgres://twenty:{{ twenty_db_password }}@twenty-db/twenty"
      REDIS_URL: "redis://twenty-redis:6379"
      STORAGE_TYPE: local
      MESSAGE_QUEUE_TYPE: bull-mq
      SIGN_IN_PREFILLED: "false"
      # Authentik OIDC — after first login as admin go to:
      # Settings → Security → SSO → Add provider
      #   Discovery URL:   https://{{ authentik_domain }}/application/o/twenty/.well-known/openid-configuration
      #   Client ID:       twenty
      #   Client Secret:   {{ twenty_oidc_client_secret }}
    volumes:
      - {{ twenty_data_dir }}/data:/app/packages/twenty-server/.local-storage
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.twenty.rule=Host(`{{ twenty_domain }}`)"
      - "traefik.http.routers.twenty.tls=true"
      - "traefik.http.routers.twenty.tls.certresolver=letsencrypt"
      - "traefik.http.services.twenty.loadbalancer.server.port=3000"
    networks:
      - internal
      - {{ sovereign_network_name }}
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "twenty-server"

  twenty-worker:
    image: twentycrm/twenty:{{ twenty_version }}
    container_name: twenty-worker
    restart: unless-stopped
    command: ["yarn", "worker:prod"]
    depends_on:
      - twenty-server
    environment:
      APP_SECRET: "{{ twenty_app_secret }}"
      PG_DATABASE_URL: "postgres://twenty:{{ twenty_db_password }}@twenty-db/twenty"
      REDIS_URL: "redis://twenty-redis:6379"
      STORAGE_TYPE: local
      MESSAGE_QUEUE_TYPE: bull-mq
    volumes:
      - {{ twenty_data_dir }}/data:/app/packages/twenty-server/.local-storage
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "twenty-worker"

networks:
  internal:
  {{ sovereign_network_name }}:
    external: true