version: "3.8"

services:
  navidrome:
    image: deluan/navidrome:latest
    container_name: navidrome
    restart: unless-stopped
    expose:
      - "4533"
    environment:
      # Navidrome's database connection URL now references the secret for the password
      # The secret file content will be mounted at /run/secrets/navidrome_db_password
      ND_DATABASE_URL: "postgres://navidrome:$(cat /run/secrets/navidrome_db_password)@navidromedb:5432/navidrome_db?sslmode=disable"
      # Other Navidrome environment variables...
      ND_SESSIONTIMEOUT: 24h
      ND_ENABLETRANSCODING: "true"
      # ND_SCANSCHEDULE: 1h
      # ND_LOGLEVEL: info
      # ND_BASEURL: ""

    volumes:
      - "/opt/navidrome/data:/data"
      - "/opt/music:/music:ro"
    user: "1000:1000" # Ensure this user has proper permissions on host volumes
    networks:
      - web
    depends_on:
      - navidromedb
    # --- Declare the secret for Navidrome to use ---
    secrets:
      - navidrome_db_password # This name refers to the secret defined at the bottom

  nginx-proxy-manager:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "81:81"
    volumes:
      - "/opt/npm/data:/data"
      - "/opt/npm/letsencrypt:/etc/letsencrypt"
    networks:
      - web
      - gitea

  navidromedb:
    image: postgres:13
    container_name: navidromedb
    restart: unless-stopped
    mem_limit: 2048m
    environment:
      POSTGRES_DB: "navidrome_db"
      POSTGRES_USER: "navidrome"
      # --- Use the secret for the PostgreSQL root password ---
      # The secret file content will be mounted at /run/secrets/postgres_root_password
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres_root_password" # Use _FILE suffix for secret files

    volumes:
      - "/opt/postgres/data:/var/lib/postgresql/data"
    networks:
      - web
    # --- Declare the secret for Postgres to use ---
    secrets:
      - postgres_root_password # This name refers to the secret defined at the bottom

  gitea:
    image: docker.gitea.com/gitea:1.25.2
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    networks:
      - gitea
    volumes:
      - /opt/gitea/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22"

networks:
  web:
    external: false
  gitea:
    external: false

# --- Docker Secrets Definition ---
secrets:
  navidrome_db_password: # This name is referenced by the 'navidrome' service
    file: ./navidrome_db_password.txt # Path to your secret file on the host

  postgres_root_password: # This name is referenced by the 'navidromedb' service
    file: ./postgres_root_password.txt # Path to your secret file on the host