# sql — central config DB (postgres, cloud only)
# Networks: data (no internet egress)

services:
  sql:
    image: postgres:16-alpine
    restart: unless-stopped
    networks: [data]
    environment:
      POSTGRES_DB: ${SQL_DB}
      POSTGRES_USER: ${SQL_USER}
      POSTGRES_PASSWORD: ${SQL_PASSWORD}
      # Per-app passwords (read by config/init.d/01-databases.sh on first start)
      GITEA_DB_PASSWORD: ${GITEA_DB_PASSWORD}
      KEYCLOAK_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
      MLFLOW_DB_PASSWORD: ${MLFLOW_DB_PASSWORD}
      TZ: ${TZ:-Europe/Amsterdam}
    volumes:
      - sql-data:/var/lib/postgresql/data
      - ./config/init.d:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${SQL_USER} -d ${SQL_DB}"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s

networks:
  data:

volumes:
  sql-data: