services:
  keycloak:
    image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION:-latest}
    environment:
      KC_DB: ${KC_DB}
      KC_DB_SCHEMA: ${KC_DB_SCHEMA}
      KC_DB_USERNAME: ${KC_DB_USERNAME}
      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
      KC_DB_URL_HOST: ${KC_DB_URL_HOST}
      KC_METRICS_ENABLED: ${KC_METRICS_ENABLED}
      KC_HEALTH_ENABLED: ${KC_HEALTH_ENABLED}
      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
      KC_PROXY_HEADERS: ${KC_PROXY_HEADERS}
      KC_HTTP_ENABLED: ${KC_HTTP_ENABLED}
      KC_HOSTNAME_STRICT: ${KC_HOSTNAME_STRICT}
      KC_HOSTNAME: ${KC_HOSTNAME}
      KC_HOSTNAME_PORT: ${KC_PORT}

    command: start
    container_name: ${CONTAINER_NAME}
    volumes:
      - ${HOST_VOLUME}:/opt/keycloak/themes
    restart: always
    ports:
      - ${HOST_PORT1}:8080
      - ${HOST_PORT2}:8443
    command: start # Use --dev for testing, or 'start' for production
    healthcheck:
      # Use a bash-based socket check if curl is missing
      test: ["CMD-SHELL", "timeout 1 bash -c 'cat < /dev/null > /dev/tcp/127.0.0.1/8080' || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s # Gives Keycloak time to boot before failing it
    entrypoint: '/opt/keycloak/bin/kc.sh'