services:
  broker:
    image: docker.io/library/redis:7
    restart: unless-stopped
    labels:
      glance.parent: paperlessngx
      glance.name: Redis
    volumes:
      - redisdata:/data

  webserver:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    labels:
      glance.name: Paperless NGX
      glance.icon: si:paperlessngx
      glance.url: https://{{ subdomains.paper }}/
      glance.description: Document server
      glance.id: paperlessngx
    depends_on:
      - broker
      - gotenberg
      - tika
    volumes:
      - data:/usr/src/paperless/data
      - media:/usr/src/paperless/media
      - ./export:/usr/src/paperless/export
      - ./consume:/usr/src/paperless/consume
    env_file: docker-compose.env
    extra_hosts:
      - '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
      PAPERLESS_OCR_USER_ARGS: '{"invalidate_digital_signatures": true}'

  gotenberg:
    image: docker.io/gotenberg/gotenberg:8.7
    labels:
      glance.parent: paperlessngx
      glance.name: Gotenburg
    restart: unless-stopped

    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"

  tika:
    image: docker.io/apache/tika:latest
    labels:
      glance.parent: paperlessngx
      glance.name: Tika
    restart: unless-stopped

  backup:
    image: offen/docker-volume-backup:v2
    restart: always
    labels:
      glance.parent: paperlessngx
      glance.name: Backup
      mag37.dockcheck.update: true
    environment:
      BACKUP_FILENAME: pngx-backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_CRON_EXPRESSION: "10 9 * * *"
      BACKUP_PRUNING_PREFIX: pngx-
      BACKUP_RETENTION_DAYS: 7
      AWS_S3_BUCKET_NAME: tsolbackups
      AWS_ENDPOINT: s3.us-west-004.backblazeb2.com 
      AWS_ACCESS_KEY_ID: {{ vault_backup.access_key_id }}
      AWS_SECRET_ACCESS_KEY: {{ vault_backup.secret_access_key }}
    volumes:
      - media:/backup/pngx-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  data:
  media:
  redisdata:

networks:
  default:
    external: true
    name: {{ docker.network_name }}