services:
  postgres:
    image: postgres:17-alpine
    container_name: postgres
    restart: always
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
    volumes:
      - ./certs/psql-server.crt:/var/lib/postgresql/server.crt:ro
      - ./certs/psql-server.key:/var/lib/postgresql/server.key:ro
      - postgres_data:/var/lib/postgresql/data
    ports:
      - '5432:5432'
    command: >
      postgres
      -c ssl=on
      -c ssl_cert_file=/var/lib/postgresql/server.crt
      -c ssl_key_file=/var/lib/postgresql/server.key
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}']
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - backend

  valkey:
    image: valkey/valkey:8-alpine
    container_name: valkey
    restart: always
    ports:
      - '6379:6379'
    volumes:
      - ./certs/cache-server.crt:/certs/server.crt:ro
      - ./certs/cache-server.key:/certs/server.key:ro
      - ./certs/cache-ca.crt:/certs/ca.crt:ro
      - valkey_data:/data
    command: >
      valkey-server
      --requirepass ${VALKEY_PASSWORD}
      --tls-port 6379
      --port 0
      --tls-cert-file /certs/server.crt
      --tls-key-file /certs/server.key
      --tls-ca-cert-file /certs/ca.crt
    healthcheck:
      test: ['CMD', 'valkey-cli', '-a', '${VALKEY_PASSWORD}', 'ping']
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - backend

volumes:
  postgres_data:
  valkey_data:

networks:
  backend:
    driver: bridge