version: "2"

services:
  app:
    image: gristlabs/grist
    restart: always
    volumes:
      - grist:/persist
      - certs:/certs
    environment:
      APP_HOME_URL: https://grist.dmeiburg.de
      GRIST_SESSION_SECRET: ${SECRET}
      GRIST_SANDBOX_FLAVOR: gvisor
      GRIST_FORCE_LOGIN: true
      GRIST_OIDC_IDP_ISSUER: https://sso.dmeiburg.de/application/o/grist/.well-known/openid-configuration
      GRIST_OIDC_IDP_CLIENT_ID: ${OIDC_ID}
      GRIST_OIDC_IDP_CLIENT_SECRET: ${OIDC_SECRET}
    labels: 
      caddy: grist.dmeiburg.de
      caddy.reverse_proxy: "{{upstreams 8484}}"

networks:
  default:
    name: caddy
    external: true

volumes:
  grist:
  certs: