networks:
  monitoring_network:
    external: true

services:
  teslamate:
    image: teslamate/teslamate:latest
    container_name: teslamate
    restart: always
    depends_on:
      - teslamate_database
    environment:
      - DATABASE_USER=${TM_DB_USER}
      - DATABASE_PASS=${TM_DB_PASS}
      - DATABASE_NAME=${TM_DB_NAME}
      - DATABASE_HOST=teslamate_database
      - MQTT_HOST=mosquitto
      - VIRTUAL_HOST=${FQDN_TM}
      - CHECK_ORIGIN=true
      - TZ=${TM_TZ}
      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
    volumes:
      - /app-config/teslamate_config:/opt/app/import
    cap_drop:
      - all
    ports:
      - "4000:4000"
    networks:
      - monitoring_network

  teslamate_database:
    image: postgres:17
    container_name: teslamate_database
    restart: always
    environment:
      - POSTGRES_USER=${TM_DB_USER}
      - POSTGRES_PASSWORD=${TM_DB_PASS}
      - POSTGRES_DB=${TM_DB_NAME}
    volumes:
      - /app-config/teslamate_database:/var/lib/postgresql/data
    networks:
      - monitoring_network

  grafana:
    image: teslamate/grafana:latest
    container_name: grafana
    restart: always
    environment:
      - DATABASE_USER=${TM_DB_USER}
      - DATABASE_PASS=${TM_DB_PASS}
      - DATABASE_NAME=${TM_DB_NAME}
      - DATABASE_HOST=teslamate_database
      - GRAFANA_PASSWD=${GRAFANA_PW}
      - GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
      - GF_AUTH_ANONYMOUS_ENABLED=false
      - GF_SERVER_DOMAIN=grafana.sascha-lutz.de
      - GF_SERVER_ROOT_URL=https://grafana.sascha-lutz.de
      - GF_SERVER_SERVE_FROM_SUB_PATH=false
      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
      - GF_AUTH_GENERIC_OAUTH_NAME=Authentik
      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${GF_OAUTH_CLIENT_ID}
      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GF_OAUTH_CLIENT_SECRET}
      - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.sascha-lutz.de/application/o/authorize/
      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.sascha-lutz.de/application/o/token/
      - GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.sascha-lutz.de/application/o/userinfo/
      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'authentik Admins') && 'Admin' || 'Viewer'
      - GF_AUTH_SIGNOUT_REDIRECT_URL=https://auth.sascha-lutz.de/application/o/grafana/end-session/
      - GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=false
    volumes:
      - /app-config/grafana_data:/var/lib/grafana
    ports:
      - "3000:3000"
    networks:
      - monitoring_network

  mosquitto:
    image: eclipse-mosquitto:2
    container_name: mosquitto
    command: mosquitto -c /mosquitto-no-auth.conf
    restart: always
    volumes:
      - /app-config/mosquitto_config:/mosquitto/config
      - /app-config/mosquitto_data:/mosquitto/data
    networks:
      - monitoring_network