version: '3.8'

services:
  coder:
    image: ghcr.io/coder/coder:latest
    container_name: coder
    restart: unless-stopped
    user: "1000:1000"  # 非 root
    environment:
      # === 資料庫 ===
      CODER_PG_CONNECTION_URL: postgresql://coder:${POSTGRES_PASSWORD}@postgres:5432/coder?sslmode=disable

      # === 外部 URL ===
      CODER_ACCESS_URL: https://coder.your-domain.com
      CODER_WILDCARD_ACCESS_URL: https://*.coder.your-domain.com

      # === TLS 由 Nginx 處理 ===
      CODER_TLS_ENABLE: "false"

      # === GitHub OIDC ===
      CODER_OIDC_ISSUER_URL: https://token.actions.githubusercontent.com
      CODER_OIDC_CLIENT_ID: ${CODER_OIDC_CLIENT_ID}
      CODER_OIDC_CLIENT_SECRET: ${CODER_OIDC_CLIENT_SECRET}
      CODER_OIDC_ALLOW_SIGNUPS: "true"

    volumes:
      # 每個使用者獨立資料夾
      - user_data:/home
      - coder_config:/home/coder/.config
    networks:
      - coder-net
    depends_on:
      - postgres

  postgres:
    image: postgres:15-alpine
    container_name: coder-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: coder
      POSTGRES_USER: coder
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - coder-net

volumes:
  user_data:
    driver: local
    driver_opts:
      type: none
      device: /path/to/host/user_data   # 宿主機目錄
      o: bind
  coder_config:
    driver: local
  postgres_data:
    driver: local

networks:
  coder-net:
    driver: bridge