services:
  broker:
    image: docker.io/library/redis:8
    restart: unless-stopped
    volumes:
      - /docker/paperless-ngx/redis/data:/data
  db:
    image: docker.io/library/postgres:18
    restart: unless-stopped
    volumes:
      - /docker/paperless-ngx/postgresql/data:/var/lib/postgresql
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperless
      POSTGRES_PASSWORD: paperless
  webserver:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - db
      - broker
    ports:
      - "8025:8000"
    volumes:
      - /docker/paperless-ngx/data:/usr/src/paperless/data
      - /docker/paperless-ngx/media:/usr/src/paperless/media
      - /docker/paperless-ngx/export:/usr/src/paperless/export
      - /docker/paperless-ngx/consume:/usr/src/paperless/consume
    environment:
      PAPERLESS_URL: https://paperlessngx.fireflylab.cc
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
      PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
      PAPERLESS_SOCIALACCOUNT_PROVIDERS: >
          {
            "openid_connect": {
              "OAUTH_PKCE_ENABLED": true,
              "APPS": [
                {
                  "provider_id": "authentik",
                  "name": "authentik",
                  "client_id": "cLQnMe9SMQ2gcnWtFlOMZikPLU8Vh3a2NleYnbBB",
                  "secret": "Fvb5cfPtLM1PZtNUYEi29L1zZmcm64Nwt1hO4gQhcJupgpUy917QtKAgFplpYp6DVvW0jf5jJW75PMDjWm3ZB79oRMjFmYCEesStqwYWDL0Alzvc9zYPGDruKDADnXyJ",
                  "settings": {
                    "server_url": "https://authentik.fireflylab.cc/application/o/paperless-ngx/.well-known/openid-configuration",
                    "fetch_userinfo": true
                  }
                }
              ],
              "SCOPE": ["openid", "profile", "email"]
            }
          }
      PAPERLESS_LOGOUT_REDIRECT_URL: "https://authentik.company/application/o/<application_slug>/end-session/"
      PAPERLESS_SOCIAL_AUTO_SIGNUP: true
      PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS: true
  gotenberg:
    image: docker.io/gotenberg/gotenberg:8.25
    restart: unless-stopped
    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"
  tika:
    image: docker.io/apache/tika:latest
    restart: unless-stopped