services:
  bookstack:
    image: lscr.io/linuxserver/bookstack:latest
    container_name: bookstack
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
      - APP_URL=https://books.kitestacks.com   # CHANGE: set to your actual BookStack subdomain
      - DB_HOST=bookstack-db
      - DB_PORT=3306
      - DB_USERNAME=bookstack
      - DB_PASSWORD=bookstackpassword
      - DB_DATABASE=bookstackapp
      # Authentik OIDC — fill in BOOKSTACK_OIDC_SECRET in .env after creating the Authentik app
      - AUTH_METHOD=oidc
      - AUTH_AUTO_INITIATE=false
      - OIDC_NAME=Authentik
      - OIDC_DISPLAY_NAME_CLAIMS=name
      - OIDC_CLIENT_ID=bookstack
      - OIDC_CLIENT_SECRET=${BOOKSTACK_OIDC_SECRET}
      - OIDC_ISSUER=https://auth.kitestacks.com/application/o/bookstack/
      - OIDC_ISSUER_DISCOVER=true
    volumes:
      - ./bookstack:/config
    ports:
      - "6875:80"
    depends_on:
      - bookstack-db
    networks:
      - default
      - kitestacks

  bookstack-db:
    image: mariadb:11
    container_name: bookstack-db
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=supersecretrootpassword
      - MYSQL_DATABASE=bookstackapp
      - MYSQL_USER=bookstack
      - MYSQL_PASSWORD=bookstackpassword
    volumes:
      - ./db:/var/lib/mysql

networks:
  kitestacks:
    external: true