services:
  recipe:
    image: ghcr.io/mealie-recipes/mealie:latest
    container_name: mealie
    restart: always
    ports:
      - "9925:9000"

    environment:
      PUID: "1001"
      PGID: "998"
      TZ: "America/Chicago"

      MAX_WORKERS: "1"
      WEB_CONCURRENCY: "1"
      BASE_URL: "https://recipe.netgrimoire.com"

      # Disable local auth / signup (SSO-only)
      ALLOW_PASSWORD_LOGIN: "false"
      ALLOW_SIGNUP: "false"

      # OIDC (authentik)
      OIDC_AUTH_ENABLED: "true"
      OIDC_PROVIDER_NAME: "authentik"
      OIDC_CONFIGURATION_URL: "https://auth.netgrimoire.com/application/o/mealie/.well-known/openid-configuration"
      OIDC_CLIENT_ID: "tidMeWe3Ak30zRzcmC5vwoCqAIHXQsaVwJEp44Mz"
      OIDC_CLIENT_SECRET: "REDACTED"
      OIDC_AUTO_REDIRECT: "true"
      OIDC_REMEMBER_ME: "true"

      # User provisioning and claim mapping
      OIDC_SIGNUP_ENABLED: "true"
      OIDC_USER_CLAIM: "sub"
      OIDC_NAME_CLAIM: "preferred_username"
      OIDC_GROUPS_CLAIM: "groups"
      OIDC_SCOPES_OVERRIDE: "openid profile email"

      # Group-based role mapping
      OIDC_USER_GROUP: "mealie-users"
      OIDC_ADMIN_GROUP: "mealie-admins"




    volumes:
      - /ockerVol/mealie:/app/data

    networks:
      - netgrimoire

    deploy:
      placement:
        constraints:
          - node.hostname == docker4
      labels:
        - homepage.group=PNCHarris Apps
        - homepage.name=Mealie
        - homepage.icon=mealie.png
        - homepage.href=https://recipe.netgrimoire.com
        - homepage.description=Recipe Manager

        - kuma.recipe.http.name="Mealie"
        - kuma.recipe.http.url=http://recipe:9000

        - caddy=recipe.netgrimoire.com
        #- caddy.import=authentik
        - caddy.reverse_proxy=recipe:9000

networks:
  netgrimoire:
    external: true