# =============================================================================
# obsidian-sync : CouchDB hub for Obsidian Self-hosted LiveSync
# Deploy as a Dokploy "Compose" app. Image is pulled (no build).
# Public endpoint: https://couchdb.manohargupta.com  (CouchDB-native auth only)
# =============================================================================
services:
  couchdb:
    # Pin a known-good 3.x line. LiveSync needs >=3.2; 3.3 is well-tested.
    image: couchdb:3.3
    container_name: obsidian-couchdb
    restart: unless-stopped

    # Admin credentials come from Dokploy's Environment tab (NOT hard-coded here,
    # so they never land in git). Set COUCHDB_USER / COUCHDB_PASSWORD in the UI.
    environment:
      - COUCHDB_USER=${COUCHDB_USER}
      - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}

    volumes:
      # Persistent database files (named volume, survives redeploys).
      - couchdb-data:/opt/couchdb/data
      # LiveSync-tuned config. Mounted into the *.d override dir so it layers on
      # top of CouchDB's defaults without us editing the base file.
      - ./couchdb/local.ini:/opt/couchdb/etc/local.d/10-livesync.ini:ro

    # Guardrail on a RAM-tight box. CouchDB idles ~150-300MB; cap keeps a runaway
    # query from eating your headroom. Swap still absorbs brief spikes.
    mem_limit: 768m

    healthcheck:
      # _up is CouchDB's lightweight liveness endpoint (no auth needed).
      test: ["CMD", "curl", "-f", "http://localhost:5984/_up"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 30s

    networks:
      - dokploy-network

    labels:
      - traefik.enable=true
      # --- HTTP router on :80 (serves the ACME challenge; matches your Dokploy
      #     convention seen on position-tracker). CouchDB 401s unauth requests
      #     itself, so no auth middleware needed here. ---
      - traefik.http.routers.obsidian-couchdb-http.rule=Host(`couchdb.manohargupta.com`)
      - traefik.http.routers.obsidian-couchdb-http.entrypoints=web
      # --- HTTPS router on :443 ---
      - traefik.http.routers.obsidian-couchdb.rule=Host(`couchdb.manohargupta.com`)
      - traefik.http.routers.obsidian-couchdb.entrypoints=websecure
      - traefik.http.routers.obsidian-couchdb.tls=true
      - traefik.http.routers.obsidian-couchdb.tls.certresolver=letsencrypt
      # --- Service: CouchDB listens on 5984 ---
      - traefik.http.services.obsidian-couchdb.loadbalancer.server.port=5984
      # Tell Traefik which network to reach the container on (overlay).
      - traefik.docker.network=dokploy-network
      # NOTE: deliberately NO basicauth middleware here. CouchDB does its own auth.

networks:
  dokploy-network:
    external: true

volumes:
  couchdb-data: