x-flags: &penpot-flags
  # Merged disable-sandbox into the flags array to protect the headless engine
  PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox

x-uri: &penpot-public-uri
  PENPOT_PUBLIC_URI: ${PENPOT_PUBLIC_URI}

x-body-size: &penpot-http-body-size
  PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 367001600
  PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600

x-secret-key: &penpot-secret-key
  PENPOT_SECRET_KEY: ${PENPOT_SECRET_KEY}

networks:
  penpot-net:
    driver: bridge

volumes:
  penpot_assets:

services:
  penpot-frontend:
    image: "penpotapp/frontend:${PENPOT_VERSION:-latest}"
    restart: always
    ports:
      - "8084:80" # Binds your port 8084 layout mapping to Penpot frontend
    volumes:
      - penpot_assets:/opt/data/assets
    depends_on:
      - penpot-backend
      - penpot-exporter
      - penpot-mcp
    networks:
      - penpot-net
    environment:
      << : [*penpot-flags, *penpot-http-body-size, *penpot-public-uri]

  penpot-backend:
    image: "penpotapp/backend:${PENPOT_VERSION:-latest}"
    restart: always
    volumes:
      - penpot_assets:/opt/data/assets
    networks:
      - penpot-net
    ports:
      - "6060:6060"
    environment:
      << : [*penpot-flags, *penpot-public-uri, *penpot-http-body-size, *penpot-secret-key]
      
      # Security Handshake Key for internal Exporter validation routines
      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}

      ## Database connection parameters pointing directly to your external LXC
      # Note: Ensure the raw string value assigned to this variable inside your .env 
      # has special characters URL-encoded (e.g. postgresql://penpot:ddlO%26%40jdw72%23zA@...)
      PENPOT_DATABASE_URI: ${PENPOT_DATABASE_URI}

      ## Valkey/Redis parameters routed directly to your active k3s node
      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}

      ## Storage Settings
      PENPOT_OBJECTS_STORAGE_BACKEND: fs
      PENPOT_OBJECTS_STORAGE_FS_DIRECTORY: /opt/data/assets

      ## Telemetry & Optional settings
      PENPOT_TELEMETRY_ENABLED: "false"

  penpot-mcp:
    image: "penpotapp/mcp:${PENPOT_VERSION:-latest}"
    restart: always
    networks:
      - penpot-net

  penpot-exporter:
    image: "penpotapp/exporter:${PENPOT_VERSION:-latest}"
    restart: always
    shm_size: '2gb' # Retained to protect Puppeteer rendering processes from memory crashes
    networks:
      - penpot-net
    environment:
      << : [*penpot-secret-key]
      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}
      PENPOT_PUBLIC_URI: http://penpot-frontend:8080

      ## Valkey/Redis variables duplicated to satisfy background exporter sub-engines
      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
      PENPOT_REDIS_URL: ${PENPOT_REDIS_URI}
      PENPOT_FLAGS: disable-sandbox