services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.3.3 #latest
    container_name: keycloak
    user: "0"
    command: start # start-dev
            # --import-realm
            # --features=scripts 
            # --log=console
            # --log-level=DEBUG
            # --log-console-output=default
            # --optimized
    environment:
      KC_DB: ${KC_DB}
      KC_DB_URL: ${KC_DB_URL}
      KC_DB_USERNAME: ${KC_DB_USERNAME}
      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
      
      # Keycloak admin user
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      
      # Hostname configuration
      KC_HOSTNAME: ${HOSTNAME}

      KEYCLOAK_FRONTEND_URL: https://${HOSTNAME}
      
      # HTTP configuration
      KC_HTTP_ENABLED: true
      KC_HTTP_PORT: 80
      # KC_HTTP_RELATIVE_PATH: /${PATH}
      KC_HEALTH_ENABLED: true
      KC_METRICS_ENABLED: true

      KC_PROXY_HEADERS: xforwarded
      KC_PROXY_ADDRESS_FORWARDING: true

      # KC_LOG: console
      # KC_LOG_LEVEL: INFO
      # KC_LOG_CONSOLE_FORMAT: "%d{HH:mm:ss} %-5p [%c{1}] %s%e%n"
      # KC_LOG_CONSOLE_COLOR: "true"

      # KC_FEATURES: "scripts"

      # KC_HTTPS_TRUST_STORE_FILE: /opt/keycloak/conf/truststore.jks
      # KC_HTTPS_TRUST_STORE_PASSWORD: ${TRUSTSTORE_PASSWORD}
    ports:
      - "${PORT}:80"
    volumes:
      - ./data/conf:/opt/keycloak/conf
      - ./data/data:/opt/keycloak/data
      - ./data/providers:/opt/keycloak/providers
      - ./data/themes:/opt/keycloak/themes
      - ./realm:/opt/keycloak/data/import 
      # - ./truststore.jks:/opt/keycloak/conf/truststore.jks
    networks:
      - nginx
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "curl -f https://${HOSTNAME}/health/ready || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

volumes:
  keycloak_data:
    driver: local

networks:
  nginx:
    driver: bridge
    external: true