# Compose v2

x-common-env: &common-env
  env_file:
    - ../env/.env.runtime
    - ../env/.env.lock.db

volumes:
  mongo1_data: {}
  mongo2_data: {}
  mongo3_data: {}
  vault_secrets:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=32m,uid=999,gid=999,mode=0750
  pbm_cfg:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=16m,uid=0,gid=0,mode=0750

services:
  vault-agent-sendico:
    <<: *common-env
    image: hashicorp/vault:latest
    container_name: vault-agent-sendico
    restart: unless-stopped
    cap_add: ["IPC_LOCK"]
    environment:
      VAULT_ADDR: ${VAULT_ADDR}
    volumes:
      - ./vault/agent.hcl:/etc/vault/agent.hcl:ro
      - ./vault/templates:/etc/vault/templates:ro
      - /opt/sendico/vault/sendico-db/role_id:/vault/role_id:ro
      - /opt/sendico/vault/sendico-db/secret_id:/vault/secret_id:ro
      - vault_secrets:/vault/secrets:rw
      - pbm_cfg:/etc/backup:rw
    command: sh -lc 'vault agent -config=/etc/vault/agent.hcl'
    healthcheck:
      test: ["CMD-SHELL","test -s /vault/secrets/MONGO_INITDB_ROOT_USERNAME -a -s /vault/secrets/MONGO_INITDB_ROOT_PASSWORD -a -s /vault/secrets/mongo.kf -a -s /etc/backup/pbm.env -a -s /etc/backup/.u -a -s /etc/backup/.p"]
      interval: 5s
      timeout: 3s
      retries: 30
      start_period: 5s

  sendico_db1:
    <<: *common-env
    image: ${REGISTRY_URL}/mirror/mongo:${MONGO_TAG}@${MONGO_DIGEST}
    container_name: sendico_db1
    restart: unless-stopped
    depends_on: { vault-agent-sendico: { condition: service_healthy } }
    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
    command: >
      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
    volumes:
      - mongo1_data:/data/db
      - vault_secrets:/vault/secrets:ro
      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
    healthcheck:
      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s
    ports: [ "0.0.0.0:${MONGO_PORT}:${MONGO_PORT}" ]

  sendico_db2:
    <<: *common-env
    image: ${REGISTRY_URL}/mirror/mongo:${MONGO_TAG}@${MONGO_DIGEST}
    container_name: sendico_db2
    restart: unless-stopped
    depends_on: { vault-agent-sendico: { condition: service_healthy } }
    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
    command: >
      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
    volumes:
      - mongo2_data:/data/db
      - vault_secrets:/vault/secrets:ro
      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
    healthcheck:
      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s

  sendico_db3:
    <<: *common-env
    image: ${REGISTRY_URL}/mirror/mongo:${MONGO_TAG}@${MONGO_DIGEST}
    container_name: sendico_db3
    restart: unless-stopped
    depends_on: { vault-agent-sendico: { condition: service_healthy } }
    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
    command: >
      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
    volumes:
      - mongo3_data:/data/db
      - vault_secrets:/vault/secrets:ro
      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
    healthcheck:
      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s

  mongo_setup:
    <<: *common-env
    image: ${REGISTRY_URL}/mirror/mongo:${MONGO_TAG}@${MONGO_DIGEST}
    depends_on:
      sendico_db1: { condition: service_healthy }
      sendico_db2: { condition: service_healthy }
      sendico_db3: { condition: service_healthy }
    volumes:
      - vault_secrets:/vault/secrets:ro
    entrypoint: |
      bash -c '
        u=$(cat /vault/secrets/MONGO_INITDB_ROOT_USERNAME)
        p=$(cat /vault/secrets/MONGO_INITDB_ROOT_PASSWORD)
        until mongosh --quiet --host sendico_db1 --port ${MONGO_PORT} --eval "db.adminCommand({ ping: 1 })"; do
          echo "waiting for MongoDB…"; sleep 2;
        done
        mongosh --host sendico_db1 --port ${MONGO_PORT} -u "$u" -p "$p" --authenticationDatabase admin <<EOJS
          try { rs.status() } catch (e) {
            rs.initiate({
              _id: "${MONGO_REPLICA_SET}",
              members: [
                { _id: 0, host: "sendico_db1:${MONGO_PORT}", priority: 2 },
                { _id: 1, host: "sendico_db2:${MONGO_PORT}", priority: 1 },
                { _id: 2, host: "sendico_db3:${MONGO_PORT}", priority: 1 }
              ]
            })
          }
        EOJS
      '
    restart: "no"

  pbm-agent-1:
    <<: *common-env
    image: percona/percona-backup-mongodb:latest
    container_name: pbm-agent-1
    restart: unless-stopped
    depends_on:
      sendico_db1: { condition: service_healthy }
      vault-agent-sendico: { condition: service_healthy }
    volumes:
      - pbm_cfg:/etc/backup:ro
    command: |
      sh -lc '
        . /etc/backup/pbm.env
        U=$(cat /etc/backup/.u) ; P=$(cat /etc/backup/.p)
        export AWS_EC2_METADATA_DISABLED=true
        export PBM_MONGODB_URI="mongodb://${U}:${P}@sendico_db1:${MONGO_PORT}/?authSource=${MONGO_AUTH_SOURCE}&replicaSet=${MONGO_REPLICA_SET}"
        exec pbm-agent --config=/etc/backup/pbm-config.yaml
      '

  pbm-agent-2:
    <<: *common-env
    image: percona/percona-backup-mongodb:latest
    container_name: pbm-agent-2
    restart: unless-stopped
    depends_on:
      sendico_db2: { condition: service_healthy }
      vault-agent-sendico: { condition: service_healthy }
    volumes:
      - pbm_cfg:/etc/backup:ro
    command: |
      sh -lc '
        . /etc/backup/pbm.env
        U=$(cat /etc/backup/.u) ; P=$(cat /etc/backup/.p)
        export AWS_EC2_METADATA_DISABLED=true
        export PBM_MONGODB_URI="mongodb://${U}:${P}@sendico_db2:${MONGO_PORT}/?authSource=${MONGO_AUTH_SOURCE}&replicaSet=${MONGO_REPLICA_SET}"
        exec pbm-agent --config=/etc/backup/pbm-config.yaml
      '

  pbm-agent-3:
    <<: *common-env
    image: percona/percona-backup-mongodb:latest
    container_name: pbm-agent-3
    restart: unless-stopped
    depends_on:
      sendico_db3: { condition: service_healthy }
      vault-agent-sendico: { condition: service_healthy }
    volumes:
      - pbm_cfg:/etc/backup:ro
    command: |
      sh -lc '
        . /etc/backup/pbm.env
        U=$(cat /etc/backup/.u) ; P=$(cat /etc/backup/.p)
        export AWS_EC2_METADATA_DISABLED=true
        export PBM_MONGODB_URI="mongodb://${U}:${P}@sendico_db3:${MONGO_PORT}/?authSource=${MONGO_AUTH_SOURCE}&replicaSet=${MONGO_REPLICA_SET}"
        exec pbm-agent --config=/etc/backup/pbm-config.yaml
      '