services:
  invidious:
    image: quay.io/invidious/invidious:latest
    container_name: invidious
    restart: unless-stopped
    ports:
      - "3001:3000"
    environment:
      INVIDIOUS_CONFIG: |
        db:
          dbname: invidious
          user: kemal
          password: ${INVIDIOUS_DB_PASSWORD}
          host: invidious-db
          port: 5432
        check_tables: true
        signature_server: inv_sig_helper:12999
        visitor_data: ${INVIDIOUS_VISITOR_DATA}
        po_token: ${INVIDIOUS_PO_TOKEN}
        hmac_key: "${INVIDIOUS_HMAC_KEY}"
    logging:
      options:
        max-size: "1G"
        max-file: "4"
    depends_on:
      - invidious-db
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.invidious.loadbalancer.server.port=3000"
      - "traefik.http.routers.invidious.entrypoints=https"
      - "traefik.http.routers.invidious.rule=Host(`invid.${DOMAIN}`, `i.${DOMAIN}`)"
      - "traefik.http.routers.invidious.tls.certresolver=http"
    networks:
      - web
      - default

  inv_sig_helper:
    image: quay.io/invidious/inv-sig-helper:latest
    container_name: inv-sig-helper
    command: ["--tcp", "0.0.0.0:12999"]
    environment:
      - RUST_LOG=info
    restart: unless-stopped
    cap_drop:
      - ALL
    read_only: true
    security_opt:
      - no-new-privileges:true

  invidious-db:
    image: postgres:14
    container_name: invidious-db
    restart: unless-stopped
    volumes:
      - ./postgres:/var/lib/postgresql/data
      - ./config/sql:/config/sql
      - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh
    environment:
      POSTGRES_DB: invidious
      POSTGRES_USER: kemal
      POSTGRES_PASSWORD: ${INVIDIOUS_DB_PASSWORD}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]

networks:
  web:
    external: true