services:

  # Gluetun is used to connect container to VPN
  ocis-gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
      - WIREGUARD_PRIVATE_KEY={{ owncloud_service_privkey }}
      - WIREGUARD_ADDRESSES=10.0.0.12/32
      - FIREWALL_VPN_INPUT_PORTS=9200
      - FIREWALL_INPUT_PORTS=9200
    ports:
      - "9200:9200"
    deploy:
      resources:
        limits:
          cpus: '0.10'
          memory: 512M

  ocis:
    network_mode: "service:ocis-gluetun"
    image: owncloud/ocis:latest
    user: 1000:1000
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_URL: "https://owncloud.{{ domain_name }}"
      OCIS_LOG_LEVEL: error # make oCIS less verbose
      PROXY_TLS: false # do not use SSL between reverse proxy and oCIS
      OCIS_INSECURE: true
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: false
      # admin user password
      IDM_ADMIN_PASSWORD: "{{ service_owncloud_admin_pass }}" # this overrides the admin password from the configuration file
      # make settings service available to oCIS Hello
      SETTINGS_GRPC_ADDR: 0.0.0.0:9191
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      # email server (if configured)
      # NOTIFICATIONS_SMTP_HOST: "xxxxxx"
      # NOTIFICATIONS_SMTP_PORT: "xxxx"
      # NOTIFICATIONS_SMTP_SENDER: "xxxxx"
      # NOTIFICATIONS_SMTP_USERNAME: "xxxxxxxx"
      # NOTIFICATIONS_SMTP_INSECURE: "xxxxxxx"
      # PROXY_TLS is set to "false", the download url has no https
      STORAGE_USERS_DATA_GATEWAY_URL: http://ocis:9200/data
      # separate directory for thumbnails
      THUMBNAILS_FILESYSTEMSTORAGE_ROOT: /var/lib/ocis-thumbnails
    volumes:
      - ./ocis-config:/etc/ocis
      - ./ocis-data:/var/lib/ocis
      - ./ocis-thumbnails:/var/lib/ocis-thumbnails
    logging:
      driver: "local"
    restart: always
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 512M