version: "3"

configs:
  materialious_nginx:
    content: |
      events { worker_connections 1024; }
      http {
          default_type application/octet-stream;
          include /etc/nginx/mime.types;
          server {
              listen 80;

              # The video player passes dashUrl as a relative path that resolves
              # to this origin — proxy Invidious API/media paths to local service.
              # (in.vish.gg resolves to the external IP which is unreachable via
              #  hairpin NAT from inside Docker; invidious:3000 is on same network)
              location ~ ^/(api|companion|vi|ggpht|videoplayback|sb|s_p|ytc|storyboards) {
                  proxy_pass http://invidious:3000;
                  proxy_set_header Host $$host;
                  proxy_set_header X-Real-IP $$remote_addr;
                  proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
              }

              location / {
                  root /usr/share/nginx/html;
                  try_files $$uri /index.html;
              }
          }
      }

services:

  invidious:
    image: quay.io/invidious/invidious:latest
    platform: linux/amd64
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      INVIDIOUS_CONFIG: |
        db:
          dbname: invidious
          user: kemal
          password: "REDACTED_PASSWORD"
          host: invidious-db
          port: 5432
        check_tables: true
        invidious_companion:
          - private_url: "http://companion:8282/companion"
        invidious_companion_key: "pha6nuser7ecei1E"
        hmac_key: "Kai5eexiewohchei"
    healthcheck:
      test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/trending || exit 1
      interval: 30s
      timeout: 5s
      retries: 2
    logging:
      options:
        max-size: "1G"
        max-file: "4"
    depends_on:
      - invidious-db
      - companion

  companion:
    image: quay.io/invidious/invidious-companion:latest
    platform: linux/amd64
    environment:
      - SERVER_SECRET_KEY=pha6nuser7ecei1E
    restart: unless-stopped
    cap_drop:
      - ALL
    read_only: true
    volumes:
      - companioncache:/var/tmp/youtubei.js:rw
    security_opt:
      - no-new-privileges:true
    logging:
      options:
        max-size: "1G"
        max-file: "4"

  invidious-db:
    image: postgres:14
    restart: unless-stopped
    environment:
      POSTGRES_DB: invidious
      POSTGRES_USER: kemal
      POSTGRES_PASSWORD: "REDACTED_PASSWORD"  # pragma: allowlist secret
    volumes:
      - postgresdata:/var/lib/postgresql/data
      - ./config/sql:/config/sql
      - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]

  materialious:
    image: wardpearce/materialious:latest
    container_name: materialious
    restart: unless-stopped
    environment:
      VITE_DEFAULT_INVIDIOUS_INSTANCE: "https://in.vish.gg"
    configs:
      - source: materialious_nginx
        target: /etc/nginx/nginx.conf
    ports:
      - "3001:80"
    logging:
      options:
        max-size: "1G"
        max-file: "4"

volumes:
  postgresdata:
  companioncache: