services:
  cf:
    image: ghcr.io/basnijholt/compose-farm:latest
    # Run as current user to preserve file ownership on mounted volumes
    # Set CF_UID=$(id -u) CF_GID=$(id -g) in your environment or .env file
    # Defaults to root (0:0) for backwards compatibility
    user: "${CF_UID:-0}:${CF_GID:-0}"
    volumes:
      - ${SSH_AUTH_SOCK}:/ssh-agent:ro
      # Compose directory (contains compose files AND compose-farm.yaml config)
      - ${CF_COMPOSE_DIR:-/opt/stacks}:${CF_COMPOSE_DIR:-/opt/stacks}
      # SSH keys for passwordless auth (generated by `cf ssh setup`)
      # Choose ONE option below (use the same option for both cf and web services):
      # Option 1: Host path (default) - keys at ~/.ssh/compose-farm/id_ed25519
      - ${CF_SSH_DIR:-~/.ssh/compose-farm}:${CF_HOME:-/root}/.ssh
      # Option 2: Named volume - managed by Docker, shared between services
      # - cf-ssh:${CF_HOME:-/root}/.ssh
    environment:
      - SSH_AUTH_SOCK=/ssh-agent
      # Config file path (state stored alongside it)
      - CF_CONFIG=${CF_COMPOSE_DIR:-/opt/stacks}/compose-farm.yaml
      # HOME must match the user running the container for SSH to find keys
      - HOME=${CF_HOME:-/root}
      # USER is required for SSH when running as non-root (UID not in /etc/passwd)
      - USER=${CF_USER:-root}

  web:
    image: ghcr.io/basnijholt/compose-farm:latest
    restart: unless-stopped
    command: web --host 0.0.0.0 --port 9000
    # Run as current user to preserve file ownership on mounted volumes
    user: "${CF_UID:-0}:${CF_GID:-0}"
    volumes:
      - ${SSH_AUTH_SOCK}:/ssh-agent:ro
      - ${CF_COMPOSE_DIR:-/opt/stacks}:${CF_COMPOSE_DIR:-/opt/stacks}
      # SSH keys - use the SAME option as cf service above
      # Option 1: Host path (default)
      - ${CF_SSH_DIR:-~/.ssh/compose-farm}:${CF_HOME:-/root}/.ssh
      # Option 2: Named volume
      # - cf-ssh:${CF_HOME:-/root}/.ssh
      # XDG config dir for backups and image digest logs (persists across restarts)
      - ${CF_XDG_CONFIG:-~/.config/compose-farm}:${CF_HOME:-/root}/.config/compose-farm
    environment:
      - SSH_AUTH_SOCK=/ssh-agent
      - CF_CONFIG=${CF_COMPOSE_DIR:-/opt/stacks}/compose-farm.yaml
      # Used to detect self-updates and run via SSH to survive container restart
      - CF_WEB_STACK=compose-farm
      # HOME must match the user running the container for SSH to find keys
      - HOME=${CF_HOME:-/root}
      # USER is required for SSH when running as non-root (UID not in /etc/passwd)
      - USER=${CF_USER:-root}
    labels:
      - traefik.enable=true
      - traefik.http.routers.compose-farm.rule=Host(`compose-farm.${DOMAIN}`)
      - traefik.http.routers.compose-farm.entrypoints=websecure
      - traefik.http.routers.compose-farm-local.rule=Host(`compose-farm.local`)
      - traefik.http.routers.compose-farm-local.entrypoints=web
      - traefik.http.services.compose-farm.loadbalancer.server.port=9000
    networks:
      - mynetwork

networks:
  mynetwork:
    external: true

volumes:
  cf-ssh:
    # Only used if Option 2 is selected above