x-flags: &penpot-flags
  # Merged disable-sandbox into the flags array to protect the headless engine
  PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox enable-login-with-password

x-uri: &penpot-public-uri
  PENPOT_PUBLIC_URI: ${PENPOT_PUBLIC_URI}

x-body-size: &penpot-http-body-size
  PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 367001600
  PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600

x-secret-key: &penpot-secret-key
  PENPOT_SECRET_KEY: ${PENPOT_SECRET_KEY}

networks:
  penpot-net:
    driver: bridge

volumes:
  penpot_assets:
  penpot_postgres_v15: # Added to persist your local database tables across container restarts

services:
  penpot-frontend:
    image: "penpotapp/frontend:${PENPOT_VERSION:-latest}"
    restart: always
    ports:
      - "8084:80" # Binds your port 8084 layout mapping to Penpot frontend
    volumes:
      - penpot_assets:/opt/data/assets
    depends_on:
      - penpot-backend
      - penpot-exporter
      - penpot-mcp
    networks:
      - penpot-net
    environment:
      << : [*penpot-flags, *penpot-http-body-size, *penpot-public-uri]

  penpot-backend:
    image: "penpotapp/backend:${PENPOT_VERSION:-latest}"
    restart: always
    volumes:
      - penpot_assets:/opt/data/assets
    networks:
      - penpot-net
    ports:
      - "6060:6060"
    depends_on:
      penpot-postgres:
        condition: service_healthy # Binds initialization order to a healthy local database
    environment:
      << : [*penpot-flags, *penpot-public-uri, *penpot-http-body-size, *penpot-secret-key]
      
      # Security Handshake Key for internal Exporter validation routines
      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}

      ## Local Internal Database connection parameters
      PENPOT_DATABASE_URI: postgresql://penpot-postgres/penpot
      PENPOT_DATABASE_USERNAME: penpot
      PENPOT_DATABASE_PASSWORD: penpot

      ## Valkey/Redis parameters routed directly to your active k3s node
      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}

      ## Storage Settings
      PENPOT_OBJECTS_STORAGE_BACKEND: fs
      PENPOT_OBJECTS_STORAGE_FS_DIRECTORY: /opt/data/assets

      ## Telemetry & Optional settings
      PENPOT_TELEMETRY_ENABLED: "false"

  penpot-mcp:
    image: "penpotapp/mcp:${PENPOT_VERSION:-latest}"
    restart: always
    networks:
      - penpot-net

  penpot-exporter:
    image: "penpotapp/exporter:${PENPOT_VERSION:-latest}"
    restart: always
    shm_size: '2gb' # Retained to protect Puppeteer rendering processes from memory crashes
    networks:
      - penpot-net
    environment:
      << : [*penpot-secret-key]
      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}
      PENPOT_PUBLIC_URI: http://penpot-frontend:8080

      ## Valkey/Redis variables duplicated to satisfy background exporter sub-engines
      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
      PENPOT_REDIS_URL: ${PENPOT_REDIS_URI}
      PENPOT_FLAGS: disable-sandbox

  # Integrated isolated Database Service
  penpot-postgres:
    image: "postgres:15"
    restart: always
    stop_signal: SIGINT
    networks:
      - penpot-net
    volumes:
      - penpot_postgres_v15:/var/lib/postgresql/data
    environment:
      - POSTGRES_INITDB_ARGS=--data-checksums
      - POSTGRES_DB=penpot
      - POSTGRES_USER=penpot
      - POSTGRES_PASSWORD=penpot
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U penpot"]
      interval: 2s
      timeout: 10s
      retries: 5
      start_period: 2s