services:
  # ===================
  # OpenLDAP (ARM-native, works great on M1/M2/M3)
  # ===================
  openldap:
    image: osixia/openldap:1.5.0
    container_name: openldap
    environment:
      - LDAP_ORGANISATION=Lab
      - LDAP_DOMAIN=lab.local
      - LDAP_BASE_DN=dc=lab,dc=local
      - LDAP_ADMIN_PASSWORD=admin123
      - LDAP_TLS=false
    ports:
      - "389:389"
      - "636:636"
    volumes:
      - openldap-data:/var/lib/ldap
      - openldap-config:/etc/ldap/slapd.d
    restart: unless-stopped

  # ===================
  # Keycloak (OIDC/SAML Provider)
  # ===================
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_HTTP_ENABLED=true
      - KC_HOSTNAME_STRICT=false
    ports:
      - "8080:8080"
    command: start-dev
    depends_on:
      - openldap
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080"]
      interval: 5s
      timeout: 5s
      retries: 12

  # Disables HTTPS requirement and creates lab realm
  keycloak-init:
    image: curlimages/curl:latest
    container_name: keycloak-init
    depends_on:
      keycloak:
        condition: service_healthy
    entrypoint: /bin/sh
    command:
      - -c
      - |
        echo "Waiting for Keycloak..."
        sleep 10
        echo "Getting admin token..."
        TOKEN=$$(curl -s -X POST "http://keycloak:8080/realms/master/protocol/openid-connect/token" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -d "username=admin" \
          -d "password=admin" \
          -d "grant_type=password" \
          -d "client_id=admin-cli" | sed 's/.*"access_token":"\([^"]*\)".*/\1/')
        echo "Disabling SSL on master realm..."
        curl -s -X PUT "http://keycloak:8080/admin/realms/master" \
          -H "Authorization: Bearer $$TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"sslRequired":"NONE"}'
        echo "Creating lab realm..."
        curl -s -X POST "http://keycloak:8080/admin/realms" \
          -H "Authorization: Bearer $$TOKEN" \
          -H "Content-Type: application/json" \
          -d '{"realm":"lab","enabled":true,"sslRequired":"NONE"}'
        echo "Done - master and lab realms ready with SSL disabled"
    restart: "no"

  # ===================
  # LDAP Admin UI (browse LDAP visually)
  # ===================
  ldap-admin:
    image: osixia/phpldapadmin
    container_name: ldap-admin
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=openldap
      - PHPLDAPADMIN_HTTPS=false
    ports:
      - "8081:80"
    depends_on:
      - openldap
    restart: unless-stopped

volumes:
  openldap-data:
  openldap-config: