services:
  pgadmin:
    image: dpage/pgadmin4:latest
    container_name: infra-pgadmin
    restart: unless-stopped
    environment:
      PGADMIN_DEFAULT_EMAIL: primal.host@primal.host
      PGADMIN_DEFAULT_PASSWORD_FILE: /run/secrets/pgadmin_password
      PGADMIN_CONFIG_PROXY_X_FOR_COUNT: 1
      PGADMIN_CONFIG_PROXY_X_PROTO_COUNT: 1
    secrets:
      - pgadmin_password
    volumes:
      - pgadmin_data:/var/lib/pgadmin
      - ./servers.json:/pgadmin4/servers.json:ro
      - ./pgpass:/pgadmin4/pgpass:ro
    networks:
      - proxy
      - atproto
    labels:
      - "traefik.enable=true"
      # Production route: pgadmin.primal.host
      - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.primal.host`)"
      - "traefik.http.routers.pgadmin.entrypoints=https"
      - "traefik.http.routers.pgadmin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pgadmin.service=pgadmin"
      - "traefik.http.services.pgadmin.loadbalancer.server.port=80"
      # HTTP to HTTPS redirect
      - "traefik.http.routers.pgadmin-redirect.rule=Host(`pgadmin.primal.host`)"
      - "traefik.http.routers.pgadmin-redirect.entrypoints=http"
      - "traefik.http.routers.pgadmin-redirect.middlewares=https-redirect"
      # Local development route
      - "traefik.http.routers.pgadmin-local.rule=Host(`pgadmin.primal.localhost`)"
      - "traefik.http.routers.pgadmin-local.entrypoints=http"
      - "traefik.http.routers.pgadmin-local.service=pgadmin"

secrets:
  pgadmin_password:
    file: ./pgadmin_password.txt

volumes:
  pgadmin_data:

networks:
  proxy:
    external: true
  atproto:
    external: true