services:
  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    container_name: open-webui
    ports:
      - "4000:8080"
    volumes:
      - open-webui:/app/backend/data
    extra_hosts:
      - host.docker.internal:host-gateway
    restart: always
    depends_on:
      - postgres
      - tools
    networks:
      - internal

  tools:
    container_name: openwebui_tools
    build:
      context: ./tools
      dockerfile: Dockerfile
    env_file: .env
    restart: on-failure

    networks:
    - internal

  postgres:
    image: postgres:latest
    container_name: openwebui_postgres
    restart: always
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=mypassword
      - POSTGRES_DB=openwebui_db
    volumes:
      - pgdata:/var/lib/postgresql/data 
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - internal

  # 8080
  searxng:
    image: searxng/searxng:latest
    container_name: searxng
    volumes:
      - ./searxng.yml:/etc/searxng/settings.yml:ro,Z
      - searxng_data:/etc/searxng:rw
    restart: always

    # DELETEME: for local testing only (extern port closed)
    ports:
      - "4001:8080"
    networks:
      - internal

  coderunner:
    build:
      context: ./coderunner
      dockerfile: Dockerfile
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:8787/openapi.json"]
      interval: 30s
      timeout: 3s
      retries: 3
      start_period: 10s

    user: "1000:1000"
    group_add:
      - "977"

    # death
    environment:
      DOCKER_HOST: "unix:///var/run/docker.sock"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:Z
      # - ./tmp:/tmp

    read_only: true
    tmpfs:
      - /run:rw,nosuid,nodev
      - /tmp:rw,exec,nosuid,nodev,size=64m

    security_opt:
      - no-new-privileges:true
      - label=disable
    networks:
      - internal

  browser:
    build:
      context: ./browser
      dockerfile: Dockerfile
    container_name: browser
    networks:
      - internal
    # playwright/chromium has larger /dev/shm :D
    shm_size: "1gb"
    user: "1000:1000"
    environment:
      WEBUI_IP: "0.0.0.0"
      WEBUI_PORT: "7788"
    ports:
      - "7788:7788"
    tmpfs:
      - /opt/web-ui/tmp:rw,exec,nosuid,nodev,mode=1777,size=64m
    volumes:
      - webui_data:/data
      # - webui_env:/opt/web-ui/.env
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:7788').read()"]
      interval: 30s
      timeout: 5s
      retries: 5
    restart: unless-stopped

volumes:
  open-webui:
  pgdata:
  searxng_data:
  webui_data:

networks:
  internal:
    driver: bridge