services:
  mosquitto:
    image: eclipse-mosquitto:2
    container_name: ${CONTAINER_NAME:-mosquitto}
    restart: unless-stopped

    environment:
      TZ: ${TZ:-Europe/Berlin}
      MQTT_USER: ${MQTT_USER:-mqttuser}
      MQTT_PORT: ${MQTT_PORT:-1883}

    volumes:
      # Dein einziges Root-Volume
      - ${VOLUME_ROOT:-./mosquitto}/config:/mosquitto/config
      - ${VOLUME_ROOT:-./mosquitto}/data:/mosquitto/data
      - ${VOLUME_ROOT:-./mosquitto}/log:/mosquitto/log

      # Host-Zertifikate (read-only), z.B. für Bridges
      - /etc/ssl/certs:/etc/ssl/certs:ro

    ports:
      - "${MQTT_PORT:-1883}:1883"

    dns:
      - ${DNS_SERVER}

    command:
      - sh
      - -c
      - |
        CONF=/mosquitto/config/mosquitto.conf
        PASSWD=/mosquitto/config/passwd

        echo "=== Preparing directories ==="
        mkdir -p /mosquitto/config /mosquitto/data /mosquitto/log

        echo "=== Checking mosquitto.conf ==="
        if [ ! -f "$CONF" ]; then
          echo "Generating mosquitto.conf..."
          printf '%s\n' \
            "listener ${MQTT_PORT:-1883}" \
            "allow_anonymous false" \
            "password_file /mosquitto/config/passwd" \
            > "$CONF"
        else
          echo "Existing mosquitto.conf found."
        fi

        echo "=== Checking user ==="
        if [ ! -f "$PASSWD" ]; then
          echo "Generating random password for user: $MQTT_USER"
          RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
          echo "Generated password (save this!):"
          echo "$RANDOM_PASS"
          mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS"
        else
          echo "Password file exists — skipping user creation."
        fi

        echo "=== Starting Mosquitto ==="
        mosquitto -c "$CONF"