services:
  paperless-db:
    image: postgres:18
    container_name: paperless-db
    restart: unless-stopped
    environment:
      TZ: ${TZ}
      POSTGRES_DB: ${PAPERLESS_DBNAME}
      POSTGRES_USER: ${PAPERLESS_DBUSER}
      POSTGRES_PASSWORD: ${PAPERLESS_DBPASS}
    volumes:
      - /opt/paperless/pgdata:/var/lib/postgresql:Z
    networks:
      - paperless_internal

  paperless-redis:
    image: redis:8
    container_name: paperless-redis
    restart: unless-stopped
    volumes:
      - /opt/paperless/redis:/data:Z
    networks:
      - paperless_internal

  paperless-gotenberg:
    image: gotenberg/gotenberg:8.27
    container_name: paperless-gotenberg
    restart: unless-stopped
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"
    networks:
      - paperless_internal

  paperless-tika:
    image: apache/tika:latest
    container_name: paperless-tika
    restart: unless-stopped
    networks:
      - paperless_internal

  paperless:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    container_name: paperless
    restart: unless-stopped
    depends_on:
      - paperless-db
      - paperless-redis
      - paperless-gotenberg
      - paperless-tika
    environment:
      TZ: ${TZ}

      PAPERLESS_REDIS: redis://paperless-redis:6379
      PAPERLESS_DBHOST: paperless-db
      PAPERLESS_DBENGINE: postgresql
      PAPERLESS_DBNAME: ${PAPERLESS_DBNAME}
      PAPERLESS_DBUSER: ${PAPERLESS_DBUSER}
      PAPERLESS_DBPASS: ${PAPERLESS_DBPASS}

      PAPERLESS_URL: https://${PAPERLESS_DOMAIN}
      PAPERLESS_SECRET_KEY: ${PAPERLESS_SECRET_KEY}
      PAPERLESS_ALLOWED_HOSTS: ${PAPERLESS_ALLOWED_HOSTS}
      PAPERLESS_CSRF_TRUSTED_ORIGINS: https://${PAPERLESS_DOMAIN}
      PAPERLESS_TRUSTED_PROXIES: ${TRUSTED_PROXIES}

      PAPERLESS_ADMIN_USER: ${PAPERLESS_ADMIN_USER}
      PAPERLESS_ADMIN_PASSWORD: ${PAPERLESS_ADMIN_PASSWORD}
      PAPERLESS_ADMIN_MAIL: ${PAPERLESS_ADMIN_MAIL}

      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_ENDPOINT: http://paperless-tika:9998
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://paperless-gotenberg:3000

      # Más robusto cuando los ficheros llegan por sync/mount y no por inotify puro
      PAPERLESS_CONSUMER_POLLING: ${PAPERLESS_CONSUMER_POLLING}
    volumes:
      - /opt/paperless/data:/usr/src/paperless/data:Z
      - /opt/paperless/media:/usr/src/paperless/media:Z
      - /opt/paperless/export:/usr/src/paperless/export:Z
      - /opt/paperless/consume:/usr/src/paperless/consume:Z
    networks:
      - paperless_internal
      - proxy
      - mail_internal
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy

      - traefik.http.routers.paperless.rule=Host(`${PAPERLESS_DOMAIN}`)
      - traefik.http.routers.paperless.entrypoints=websecure
      - traefik.http.routers.paperless.tls=true
      - traefik.http.routers.paperless.tls.certresolver=${TRAEFIK_CERTRESOLVER}
      - traefik.http.routers.paperless.middlewares=paperless-secure-headers

      - traefik.http.middlewares.paperless-secure-headers.headers.stsSeconds=31536000
      - traefik.http.middlewares.paperless-secure-headers.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.paperless-secure-headers.headers.stsPreload=true
      - traefik.http.middlewares.paperless-secure-headers.headers.contentTypeNosniff=true
      - traefik.http.middlewares.paperless-secure-headers.headers.browserXssFilter=true

      - traefik.http.services.paperless.loadbalancer.server.port=8000

  paperless-ai:
    image: clusterzx/paperless-ai:latest
    container_name: paperless-ai
    restart: unless-stopped
    depends_on:
      - paperless
    environment:
      TZ: ${TZ}
    volumes:
      - /opt/paperless-ai/data:/app/data:Z
    networks:
      - paperless_internal
      - proxy
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy

      - traefik.http.routers.paperless-ai.rule=Host(`${PAPERLESS_AI_DOMAIN}`)
      - traefik.http.routers.paperless-ai.entrypoints=websecure
      - traefik.http.routers.paperless-ai.tls=true
      - traefik.http.routers.paperless-ai.tls.certresolver=${TRAEFIK_CERTRESOLVER}
      - traefik.http.routers.paperless-ai.middlewares=paperless-ai-secure-headers

      - traefik.http.middlewares.paperless-ai-secure-headers.headers.stsSeconds=31536000
      - traefik.http.middlewares.paperless-ai-secure-headers.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.paperless-ai-secure-headers.headers.stsPreload=true
      - traefik.http.middlewares.paperless-ai-secure-headers.headers.contentTypeNosniff=true

      - traefik.http.services.paperless-ai.loadbalancer.server.port=3000

  # Sync unidireccional: Nextcloud/Paperless-Inbox -> paperless/consume
  paperless-inbox-sync:
    image: rclone/rclone:latest
    container_name: paperless-inbox-sync
    restart: unless-stopped
    depends_on:
      - paperless
    entrypoint:
      - /bin/sh
      - /rclone-sync.sh
    environment:
      TZ: ${TZ}

      RCLONE_CONFIG_NC_TYPE: webdav
      RCLONE_CONFIG_NC_URL: https://${NC_DOMAIN}/remote.php/dav/files/${NC_WEBDAV_USER}
      RCLONE_CONFIG_NC_VENDOR: nextcloud
      RCLONE_CONFIG_NC_USER: ${NC_WEBDAV_USER}
      RCLONE_CONFIG_NC_PASS: ${NC_WEBDAV_PASS}

      RCLONE_SYNC_INTERVAL: ${RCLONE_SYNC_INTERVAL}
      PAPERLESS_INBOX_DIR: ${PAPERLESS_INBOX_DIR}
    volumes:
      - /opt/paperless/consume:/consume:Z
      - /opt/rclone:/config/rclone:Z
      - /opt/paperless/rclone-sync.sh:/rclone-sync.sh:ro,Z
    networks:
      - paperless_internal

networks:
  paperless_internal:
    driver: bridge

  proxy:
    external: true

  mail_internal:
    external: true