services:
  bytestash:
    image: ghcr.io/jordan-dalby/bytestash:latest
    container_name: bytestash
    restart: unless-stopped
    volumes:
      - bytestash_data:/data/snippets
    environment:
      JWT_SECRET: "{{ vault_bytestash.jwt_secret }}"
      TOKEN_EXPIRY: "24h"
      ALLOW_NEW_ACCOUNTS: "true"
      DEBUG: "false"
      DISABLE_ACCOUNTS: "false"
      DISABLE_INTERNAL_ACCOUNTS: "false"
      OIDC_ENABLED: "true"
      OIDC_DISPLAY_NAME: "Login with Authentik"
      OIDC_ISSUER_URL: "https://{{ subdomains.auth }}/application/o/bytestash/"
      OIDC_CLIENT_ID: "{{ vault_bytestash.oidc_client_id }}"
      OIDC_CLIENT_SECRET: "{{ vault_bytestash.oidc_client_secret }}"
      OIDC_SCOPES: "openid profile email"
    extra_hosts:
      - "{{ subdomains.auth }}:{{ docker.hairpin_ip }}"
    labels:
      glance.name: ByteStash
      glance.icon: si:code
      glance.url: https://{{ subdomains.bytestash }}/
      glance.description: Code snippet manager
      glance.id: bytestash

volumes:
  bytestash_data:
    driver: local

networks:
  default:
    external: true
    name: {{ docker.network_name }}