# Seafile - File sync
# Port: 8082
# File sync and share with versioning

services:
  db:
    image: mariadb:11.4-noble #LTS Long Time Support Until May 29, 2029.
    container_name: Seafile-DB
    hostname: seafile-db
    security_opt:
      - no-new-privileges:false
    volumes:
      - /volume1/docker/seafile/db:/var/lib/mysql:rw
    environment:
      MYSQL_ROOT_PASSWORD: "REDACTED_PASSWORD"
      MYSQL_DATABASE: seafile_db
      MYSQL_USER: seafileuser
      MYSQL_PASSWORD: "REDACTED_PASSWORD"
      TZ: America/Los_Angeles
    restart: on-failure:5

  cache:
    image: memcached:1.6
    entrypoint: memcached -m 256
    container_name: Seafile-CACHE
    hostname: memcached
    security_opt:
      - no-new-privileges:true
    read_only: true
    user: 1026:100
    restart: on-failure:5

  redis:
    image: redis
    container_name: Seafile-REDIS
    command:
      - /bin/sh
      - -c
      - redis-server --requirepass REDACTED_PASSWORD
    hostname: redis
    security_opt:
      - no-new-privileges:true
    read_only: false
    user: 1026:100
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping || exit 1"]
    volumes:
      - /volume1/docker/seafile/redis:/data:rw
    environment:
      TZ: America/Los_Angeles
    restart: on-failure:5

  seafile:
    image: seafileltd/seafile-mc:13.0-latest
    container_name: Seafile
    user: 0:0
    hostname: seafile
    security_opt:
      - no-new-privileges:false
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost
    volumes:
      - /volume1/docker/seafile/data:/shared:rw
    ports:
      - 8611:80
    environment:
      INIT_SEAFILE_MYSQL_ROOT_PASSWORD: "REDACTED_PASSWORD"
      SEAFILE_MYSQL_DB_HOST: seafile-db
      SEAFILE_MYSQL_DB_USER: seafileuser
      SEAFILE_MYSQL_DB_PORT: 3306
      SEAFILE_MYSQL_DB_PASSWORD: "REDACTED_PASSWORD"
      SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: seafile_db
      SEAFILE_MYSQL_DB_CCNET_DB_NAME: ccnet_db
      SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: seahub_db
      CACHE_PROVIDER: redis
      REDIS_HOST: redis
      REDIS_PORT: 6379
      REDIS_PASSWORD: "REDACTED_PASSWORD"
      TIME_ZONE: America/Los_Angeles
      SEAFILE_VOLUME: /opt/seafile-data
      SEAFILE_MYSQL_VOLUME: /opt/seafile-mysql/db
      INIT_SEAFILE_ADMIN_EMAIL: your-email@example.com
      INIT_SEAFILE_ADMIN_PASSWORD: "REDACTED_PASSWORD" # pragma: allowlist secret
      JWT_PRIVATE_KEY: "REDACTED_JWT_PRIVATE_KEY"
      SEADOC_VOLUME: /opt/seadoc-data
      SEADOC_IMAGE: seafileltd/sdoc-server:2.0-latest
      ENABLE_SEADOC: true
      SEADOC_SERVER_URL: https://sf.vish.gg/sdoc-server
      SEAFILE_SERVER_HOSTNAME: sf.vish.gg
      SEAFILE_SERVER_PROTOCOL: https
      FORCE_HTTPS_IN_CONF: true
      SEAFILE_SERVER_LETSENCRYPT: false
      # Authentik OAuth2 SSO - keeps local login working
      # NOTE: Also add to seahub_settings.py in /shared/seafile/conf/:
      # ENABLE_OAUTH = True
      # OAUTH_ENABLE_INSECURE_TRANSPORT = False
      # OAUTH_CLIENT_ID = "REDACTED_CLIENT_ID"
      # OAUTH_CLIENT_SECRET = "REDACTED_CLIENT_SECRET"
      # OAUTH_REDIRECT_URL = "https://sf.vish.gg/oauth/callback/"
      # OAUTH_PROVIDER_DOMAIN = "sso.vish.gg"
      # OAUTH_AUTHORIZATION_URL = "https://sso.vish.gg/application/o/authorize/"
      # OAUTH_TOKEN_URL = "https://sso.vish.gg/application/o/token/"
      # OAUTH_USER_INFO_URL = "https://sso.vish.gg/application/o/userinfo/"
      # OAUTH_SCOPE = ["openid", "profile", "email"]
      # OAUTH_ATTRIBUTE_MAP = {
      #     "email": (True, "email"),
      #     "name": (False, "name"),
      # }
    depends_on:
      db:
        condition: service_started
      cache:
        condition: service_started
      redis:
        condition: service_started
    restart: on-failure:5