services:
    # One-time init: creates ./data and ./certs with the correct ownership
    # Also, prosody's official docker image do not have any latest tag, so using current latest tag 13.0
    prosody-init:
        image: prosodyim/prosody:13.0
        container_name: prosody-init
        restart: "no"
        entrypoint: /bin/sh
        command: -c "mkdir -p /var/lib/prosody /etc/prosody/certs && chown prosody:prosody /var/lib/prosody /etc/prosody/certs"
        volumes:
            - ./data:/var/lib/prosody
            - ./certs:/etc/prosody/certs

    # Watches Traefik's acme.json and extracts certs into the shared volume
    prosody-certs:
        image: ldez/traefik-certs-dumper:latest
        container_name: prosody-certs
        restart: unless-stopped
        entrypoint: /bin/sh
        command:
            - "-c"
            - |
                printf '#!/bin/sh\nchmod 644 /output/certs/*.crt /output/private/*.key 2>/dev/null\nexit 0\n' > /tmp/on-cert-update.sh &&
                chmod +x /tmp/on-cert-update.sh &&
                traefik-certs-dumper file --version v2 --source /traefik/acme.json --dest /output &&
                chmod 644 /output/certs/*.crt /output/private/*.key &&
                exec traefik-certs-dumper file --watch --version v2 --source /traefik/acme.json --dest /output --post-hook /tmp/on-cert-update.sh
        volumes:
            - ../../tools/wireguard/letsencrypt:/traefik:ro # Change this to cert path if not using same folder structure
            - ./certs:/output

    prosody:
        image: prosodyim/prosody:13.0
        container_name: prosody
        restart: unless-stopped
        env_file: .env
        volumes:
            - ./prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro
            - ./data:/var/lib/prosody
            - ./certs:/etc/prosody/certs
        networks:
            - traefik_portal
        depends_on:
            prosody-init:
                condition: service_completed_successfully

networks:
    traefik_portal:
        external: true