# https://docs.docker.com/compose/compose-file/compose-file-v2/

# [...] By default, every container joins an application-wide default network,
# and is discoverable at a hostname that’s the same as the service name. [...]

version: '2.1'
services:
  db:
    image: postgres:10.5-alpine
    environment:
      POSTGRES_DB: koel
      POSTGRES_USER: koel
      POSTGRES_PASSWORD: secret
    # WORKAROUND cannot whitelist required caps [chown, setuid, setgid, fowner]
    cap_drop: [setpcap, mknod, audit_write, net_raw, fsetid,
               kill, net_bind_service, sys_chroot, setfcap]
    # --security-opt=no-new-privileges
    # https://docs.docker.com/engine/reference/builder/#healthcheck
    # https://github.com/docker-library/healthcheck/blob/master/postgres/docker-healthcheck
    healthcheck:
      test: echo 'SELECT 1' | psql --username koel --dbname koel || exit 1
    restart: unless-stopped
  web:
    image: fphammerle/koel:3.7.2-wait-amd64
    environment:
      DB_CONNECTION: pgsql
      DB_HOST: db
      DB_PORT: 5432
      DB_DATABASE: koel
      DB_PASSWORD: secret
    ports: ['8080:8080']
    cap_drop: [all]
    # --security-opt=no-new-privileges
    # v3 no longer supports the condition form of depends_on
    depends_on:
      db: {condition: service_healthy}
    restart: unless-stopped