version: '3.8'

# Deploy with:
#   export POSTGRES_PASSWORD='...' FUSIONAUTH_DB_PASSWORD='...'
#   sudo -E docker stack deploy -c fusionauth.yml fusionauth
#
# Passwords sourced from AWS Secrets Manager (swarm_infra_secrets)
#
# Runs on: CADDY_INSTANCE (ip-10-0-1-168)
# FusionAuth is Java-based and memory hungry — deployed on caddy node (t3.large, 8GB)
# Accessible publicly via Caddy reverse proxy at auth.erdaverse.com

services:
  fusionauth:
    image: fusionauth/fusionauth-app:latest
    environment:
      DATABASE_URL: jdbc:postgresql://postgres:5432/fusionauth_db
      DATABASE_ROOT_USERNAME: postgres
      DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
      DATABASE_USERNAME: fusionauth_user
      DATABASE_PASSWORD: ${FUSIONAUTH_DB_PASSWORD}
      FUSIONAUTH_APP_MEMORY: 512M
      FUSIONAUTH_APP_RUNTIME_MODE: production
      SEARCH_TYPE: database
    networks:
      - erda-net
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == ip-10-0-1-168
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3

networks:
  erda-net:
    external: true