# SPDX-License-Identifier: AGPL-3.0-only
# SPDX-FileCopyrightText: 2024 Univention GmbH


services:

  nats:
    image: "artifacts.software-univention.de/library/nats:2.12.2@sha256:ce420d07f6d70c5b06cf78029aac726fe8c74f4465fe65f5ed9d14b9d6302d3c"
    ports:
      - "4222:4222"   # Client connections
      - "8222:8222"   # Monitoring endpoint (optional)
    secrets:
      - nats-conf
    command: -c /run/secrets/nats-conf
    networks:
      - "nubus-provisioning"
    restart: "unless-stopped"
    volumes:
      - /var/lib/univention-appcenter/apps/provisioning-service/data/nats-data/:/data

  provisioning-api:
    image: "gitregistry.knut.univention.de/univention/dev/projects/provisioning/provisioning-api:0.68.0-pre-dwiesent-transformer-udm-rest-97-2"
    container_name: "nubus-provisioning-api"
    restart: "unless-stopped"
    environment:
      - PLATFORM_UCS=true
      - LOG_LEVEL=@!@print(configRegistry.get("provisioning-service/log/level", "WARNING"), end="")@!@
      -  NATS_HOST=nats
      -  NATS_PORT=4222
      -  NATS_USER=api
      -  NATS_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
      -  ADMIN_NATS_USER=NOT_SET_NOT_REQUIRED
      -  ADMIN_NATS_PASSWORD=NOT_SET_NOT_REQUIRED
      -  ADMIN_USERNAME=admin
      -  ADMIN_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["PROVISIONING_API_ADMIN_PASSWORD"]);@!@
      -  PREFILL_USERNAME=prefill
      -  PREFILL_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
      -  MAX_PREFILL_ATTEMPTS=5
      -  EVENTS_USERNAME_UDM=udm
      -  EVENTS_PASSWORD_UDM=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["EVENTS_PASSWORD_UDM"]);@!@
      -  DEBUG=false
      -  ROOT_PATH=/univention/provisioning
      -  CORS_ALL=false
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
    networks:
      - "nubus-provisioning"
    depends_on:
      - "nats"

  dispatcher:
    image: "gitregistry.knut.univention.de/univention/dev/projects/provisioning/provisioning-dispatcher:0.68.0-pre-dwiesent-transformer-udm-rest-97-2"
    container_name: "nubus-provisioning-dispatcher"
    restart: "unless-stopped"
    environment:
      - PLATFORM_UCS=true
      - LOG_LEVEL=@!@print(configRegistry.get("provisioning-service/log/level", "WARNING"), end="")@!@
      @!@print("-  NATS_HOST_PULL=nats" if configRegistry.get('server/role').lower() == "domaincontroller_master" else f"-  NATS_HOST_PULL={configRegistry.get('hostname')}.{configRegistry.get('domainname')}")@!@
      @!@print("-  NATS_PORT_PULL=4222" if configRegistry.get('server/role').lower() == "domaincontroller_master" else f"-  NATS_PORT_PULL={configRegistry.get('nats/stunnel/accept/port', 4230)}")@!@
      -  NATS_HOST_PUSH=nats
      -  NATS_PORT_PUSH=4222
      -  NATS_USER_PULL=dispatcher
      -  NATS_USER_PUSH=dispatcher
      -  NATS_CONSUMER_NAME=provisioning-dispatcher-@%@hostname@%@
      -  NATS_PASSWORD_PULL=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
      -  NATS_PASSWORD_PUSH=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
      -  NATS_MAX_RECONNECT_ATTEMPTS=2
      -  PROVISIONING_API_HOST=provisioning-api
      -  PROVISIONING_API_PORT=7777
    depends_on:
      - "nats"
      - "provisioning-api"
    networks:
      - "nubus-provisioning"
    #entrypoint: ["sleep", "10000"]

  udm-transformer:
    image: "gitregistry.knut.univention.de/univention/dev/projects/provisioning/provisioning-udm-transformer:0.68.0-pre-dwiesent-transformer-udm-rest-97-2"
    container_name: "nubus-provisioning-udm-transformer"
    restart: "unless-stopped"
    @!@if configRegistry.get('server/role').lower() == "domaincontroller_backup": print("profiles: [donotstart]\n")@!@
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
        - PLATFORM_UCS=true
        - LOG_LEVEL=@!@print(configRegistry.get("provisioning-service/log/level", "WARNING"), end="")@!@
        - NATS_HOST=nats
        - NATS_PORT=4222
        - NATS_USER=udm-transformer
        - NATS_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
        - LDAP_PUBLISHER_NAME=udm-listener
        - PROVISIONING_API_HOST=provisioning-api
        - PROVISIONING_API_PORT=7777
        - EVENTS_USERNAME_UDM=udm
        - EVENTS_PASSWORD_UDM=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["EVENTS_PASSWORD_UDM"]);@!@
        - UDM_URL=https://@%@ldap/master@%@/univention/udm/
        - UDM_USERNAME=cn=admin
        - UDM_PASSWORD=@!@print(open("/etc/ldap.secret").read())@!@
        - UDM_NEEDS_RELOAD=False
        - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
    depends_on:
      - "nats"
    networks:
      - "nubus-provisioning"
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro

  prefill:
    image: "gitregistry.knut.univention.de/univention/dev/projects/provisioning/provisioning-prefill:0.68.0-pre-dwiesent-transformer-udm-rest-97-2"
    container_name: "nubus-provisioning-prefill"
    restart: "unless-stopped"
    environment:
     - PLATFORM_UCS=true
     - LOG_LEVEL=@!@print(configRegistry.get("provisioning-service/log/level", "WARNING"), end="")@!@
     - NATS_HOST=nats
     - NATS_PORT=4222
     - PROVISIONING_API_HOST=provisioning-api
     - PROVISIONING_API_PORT=7777
     - NATS_USER=prefill
     - NATS_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
     - NATS_MAX_RECONNECT_ATTEMPTS=2
     - UDM_HOST=@%@provisioning-service/udm-rest-api-host@%@
     - UDM_PORT=443
     - UDM_URL_PATH_PREFIX=/univention
     - UDM_PROTOCOL=https
     - UDM_USERNAME=@!@import subprocess; print(subprocess.run("univention-ldapsearch -b $(ucr get appcenter/apps/provisioning-service/hostdn) uid | grep uid: | awk '{print $2}'", shell=True, capture_output=True, text=True, check=True).stdout.strip().splitlines()[0].replace('$', '$$'), end='')@!@
     - UDM_PASSWORD=@!@print(open("/var/lib/univention-appcenter/apps/provisioning-service/machine.secret").read())@!@
     - PREFILL_USERNAME=prefill
     - PREFILL_PASSWORD=@!@import json; print(json.load(open("/etc/provisioning-secrets.json"))["NATS_PASSWORD"]);@!@
     - MAX_PREFILL_ATTEMPTS=5
     - NETWORK_RETRY_STARTING_INTERVAL=1
     - NETWORK_RETRY_MAX_DELAY=120
     - NETWORK_RETRY_MAX_ATTEMPTS=60
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
    depends_on:
      - "provisioning-api"
    networks:
      - "nubus-provisioning"


networks:
  nubus-provisioning:
    driver: bridge
    name: "nubus-provisioning"

secrets:
  nats-conf:
    file: /var/lib/univention-appcenter/apps/provisioning-service/conf/nats.conf
