services:
  postgres:
    image: postgres:latest
    container_name: postgres_secure
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./certs:/certs:ro
      - ./init-scripts:/docker-entrypoint-initdb.d:ro
      - ./custom-conf:/etc/postgresql/conf.d:ro
    ports:
      - "5432:5432" # accessible from LAN
    command: >
      postgres
      -c listen_addresses='*'
      -c ssl=on
      -c ssl_cert_file=/certs/server.crt
      -c ssl_key_file=/certs/server.key
      -c ssl_ca_file=/certs/ca.crt
      -c log_timezone=UTC
      -c timezone=UTC
      -c config_file=/etc/postgresql/conf.d/postgresql.conf
    networks:
      - pgnet

volumes:
  postgres_data:

networks:
  pgnet:
    driver: bridge