version: "3.9"

networks:
  keycloak-net:
    driver: overlay

services:
  # ────────── KEYCLOAK ────────────────────────────────────────────────
  keycloak:
    image: quay.io/keycloak/keycloak:26.2.1        # 23 Apr 2025 latest :contentReference[oaicite:0]{index=0}
    command: >
      start --optimized
             --cache=ispn
             --hostname-strict=false
    environment:
      KC_DB: postgres
      KC_DB_URL_HOST: pg-0                         # <- new primary name
      KC_DB_URL_PORT: 5432
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
    depends_on: [pg-0]
    networks: [keycloak-net]
    deploy:
      replicas: 1
      restart_policy: { condition: on-failure }
      placement:
        constraints:
          - node.role == worker

  # ────────── POSTGRESQL-REPMGR HA CLUSTER ────────────────────────────
  pg-0:                                   # primary
    image: bitnami/postgresql-repmgr:17
    environment:
      POSTGRESQL_POSTGRES_PASSWORD: ${PG_SUPERUSER_PASSWORD}
      POSTGRESQL_USERNAME: keycloak
      POSTGRESQL_PASSWORD: ${KC_DB_PASSWORD}
      POSTGRESQL_DATABASE: keycloak
      REPMGR_USERNAME: repmgr
      REPMGR_PASSWORD: ${REPMGR_PASSWORD}
      REPMGR_NODE_ID: 1000
      REPMGR_NODE_NAME: pg-0
      REPMGR_NODE_NETWORK_NAME: pg-0
      REPMGR_PRIMARY_HOST: pg-0
      REPMGR_PARTNER_NODES: pg-0,pg-1,pg-2
    volumes:
      - /store/new-age/data/kc-pg-data-r0:/bitnami/postgresql
    networks: [keycloak-net]
    deploy:
      restart_policy: { condition: on-failure }
      placement:
        constraints:
          - node.labels.server_id == lnd1          # your pin

  pg-1:                                   # replica-1
    image: bitnami/postgresql-repmgr:17
    environment:
      POSTGRESQL_POSTGRES_PASSWORD: ${PG_SUPERUSER_PASSWORD}
      POSTGRESQL_USERNAME: keycloak
      POSTGRESQL_PASSWORD: ${KC_DB_PASSWORD}
      POSTGRESQL_DATABASE: keycloak
      POSTGRESQL_REPLICATION_MODE: slave
      REPMGR_USERNAME: repmgr
      REPMGR_PASSWORD: ${REPMGR_PASSWORD}
      REPMGR_NODE_ID: 1001
      REPMGR_NODE_NAME: pg-1
      REPMGR_NODE_NETWORK_NAME: pg-1
      REPMGR_PRIMARY_HOST: pg-0
      REPMGR_PARTNER_NODES: pg-0,pg-1,pg-2
    volumes:
      - /store/new-age/data/kc-pg-data-r1:/bitnami/postgresql
    networks: [keycloak-net]
    deploy:
      restart_policy: { condition: on-failure }
      placement:
        constraints:
          - node.labels.server_id == nyc3

  pg-2:                                   # replica-2
    image: bitnami/postgresql-repmgr:17
    environment:
      POSTGRESQL_POSTGRES_PASSWORD: ${PG_SUPERUSER_PASSWORD}
      POSTGRESQL_USERNAME: keycloak
      POSTGRESQL_PASSWORD: ${KC_DB_PASSWORD}
      POSTGRESQL_DATABASE: keycloak
      POSTGRESQL_REPLICATION_MODE: slave
      REPMGR_USERNAME: repmgr
      REPMGR_PASSWORD: ${REPMGR_PASSWORD}
      REPMGR_NODE_ID: 1002
      REPMGR_NODE_NAME: pg-2
      REPMGR_NODE_NETWORK_NAME: pg-2
      REPMGR_PRIMARY_HOST: pg-0
      REPMGR_PARTNER_NODES: pg-0,pg-1,pg-2
    volumes:
      - /store/new-age/data/kc-pg-data-r2:/bitnami/postgresql
    networks: [keycloak-net]
    deploy:
      restart_policy: { condition: on-failure }
      placement:
        constraints:
          - node.labels.server_id == amd1