version: "3.9"

services:
  powerdns:
    image: ${PDNS_IMAGE:-powerdns/pdns:latest}
    container_name: ${PDNS_CONTAINER_NAME:-powerdns}
    restart: unless-stopped
    
    # Die Umgebungsvariablen dienen jetzt nur noch als Futter für das Script
    environment:
      PDNS_API_KEY: ${PDNS_API_KEY:-changeme}
      PDNS_API_ALLOW_FROM: ${PDNS_API_ALLOW_FROM:-0.0.0.0/0,::/0}
      PDNS_LAUNCH: ${PDNS_LAUNCH:-gsqlite3}
      PDNS_GSQLITE3_DATABASE: ${PDNS_GSQLITE3_DATABASE:-/data/pdns.sqlite3}
      PDNS_GPGSQL_HOST: ${PDNS_GPGSQL_HOST:-}
      PDNS_GPGSQL_PORT: ${PDNS_GPGSQL_PORT:-5432}
      PDNS_GPGSQL_USER: ${PDNS_GPGSQL_USER:-}
      PDNS_GPGSQL_PASSWORD: ${PDNS_GPGSQL_PASSWORD:-}
      PDNS_GPGSQL_DBNAME: ${PDNS_GPGSQL_DBNAME:-}
      PDNS_LOG_LEVEL: ${PDNS_LOG_LEVEL:-6}

    entrypoint: ["/bin/sh","-lc"]
    command:
      - |
        set -eu
        mkdir -p /etc/powerdns/pdns.d
        
        PDNS_BIN=$$(which pdns_server || echo "/usr/local/sbin/pdns_server")
        DB_FILE="$${PDNS_GSQLITE3_DATABASE}"

        # 1. Vorbereitung als Root
        if [ ! -f "$$DB_FILE" ]; then
          echo "Initialisiere SQLite als root..."
          touch "$$DB_FILE"
          # Wir finden heraus, welcher User pdns normalerweise gehört (meist pdns)
          # und geben ihm die Datei. Falls der User nicht existiert, nutzen wir 666.
          chmod 666 "$$DB_FILE"
          
          SCHEMA=$$(find /usr -name schema.sqlite3.sql | head -n 1)
          if [ -n "$$SCHEMA" ]; then
             sqlite3 "$$DB_FILE" < "$$SCHEMA"
          fi
        fi

        # 2. Config schreiben
        cat > /etc/powerdns/pdns.d/99-env.conf <<EOF
        api=yes
        webserver=yes
        webserver-address=0.0.0.0
        webserver-port=8081
        api-key=$${PDNS_API_KEY}
        webserver-allow-from=$${PDNS_API_ALLOW_FROM}
        launch=gsqlite3
        gsqlite3-database=$$DB_FILE
        # Diese Zeilen sagen PowerDNS, zu wem es wechseln soll:
        setuid=pdns
        setgid=pdns
        EOF

        echo "Startserver: $$PDNS_BIN"
        # Wir starten als root, aber PDNS wechselt intern sofort den User
        exec $$PDNS_BIN --daemon=no --guardian=no --control-console


    volumes:
      - ${PDNS_DATA_PATH:-pdns-data}:/data

    networks:
      - proxy

    ports:
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/tcp"
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/udp"
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/tcp"
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/udp"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.powerdns.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns.entrypoints=${PDNS_TRAEFIK_ENTRYPOINT:-websecure}"
      - "traefik.http.routers.powerdns.tls=true"
      - "traefik.http.routers.powerdns.tls.certresolver=${PDNS_TRAEFIK_CERTRESOLVER:-letsencrypt}"
      - "traefik.http.services.powerdns.loadbalancer.server.port=8081"
      - "traefik.http.routers.powerdns-insecure.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns-insecure.entrypoints=web"
      - "traefik.http.routers.powerdns-insecure.middlewares=powerdns-redirect"
      - "traefik.http.middlewares.powerdns-redirect.redirectscheme.scheme=https"

volumes:
  pdns-data:

networks:
  proxy:
    external: true