services:
  backend:
    image: zimengxiong/excalidash-backend:latest
    container_name: excalidash-backend
    environment:
      - DATABASE_URL=file:/app/prisma/dev.db
      - FRONTEND_URL=https://draw.mydomain.com
      - PORT=8000
      - NODE_ENV=production
      - AUTH_MODE=${AUTH_MODE:-local}
      # Keep disabled by default; only enable when a trusted proxy sanitizes forwarded headers.
      - TRUST_PROXY=false
      # Optional for single-instance deployments:
      # if unset, backend auto-generates and persists one in the volume.
      # Recommended to set explicitly for portability and multi-instance setups.
      - JWT_SECRET=xxxxxxxxxxxxxxx
      - CSRF_SECRET=xxxxxxxxxxxxxx
      # Optional OIDC settings (required for AUTH_MODE=hybrid or oidc_enforced)
      # - OIDC_PROVIDER_NAME=Authentik
      # - OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
      # - OIDC_CLIENT_ID=your-client-id
      # - OIDC_CLIENT_SECRET=your-client-secret
      # - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
    volumes:
      - /data/excalidash:/app/prisma
    networks:
      - excalidash-network

  frontend:
    image: zimengxiong/excalidash-frontend:latest
    container_name: excalidash-frontend
    ports:
      - "5747:80"
    depends_on:
      - backend
    networks:
      - excalidash-network

networks:
  excalidash-network: {}