version: "3.9"

services:
  powerdns:
    image: ${PDNS_IMAGE:-powerdns/pdns:latest}
    container_name: ${PDNS_CONTAINER_NAME:-powerdns}
    restart: unless-stopped
    
    # Die Umgebungsvariablen dienen jetzt nur noch als Futter für das Script
    environment:
      PDNS_API_KEY: ${PDNS_API_KEY:-changeme}
      PDNS_API_ALLOW_FROM: ${PDNS_API_ALLOW_FROM:-0.0.0.0/0,::/0}
      PDNS_LAUNCH: ${PDNS_LAUNCH:-gsqlite3}
      PDNS_GSQLITE3_DATABASE: ${PDNS_GSQLITE3_DATABASE:-/data/pdns.sqlite3}
      PDNS_GPGSQL_HOST: ${PDNS_GPGSQL_HOST:-}
      PDNS_GPGSQL_PORT: ${PDNS_GPGSQL_PORT:-5432}
      PDNS_GPGSQL_USER: ${PDNS_GPGSQL_USER:-}
      PDNS_GPGSQL_PASSWORD: ${PDNS_GPGSQL_PASSWORD:-}
      PDNS_GPGSQL_DBNAME: ${PDNS_GPGSQL_DBNAME:-}
      PDNS_LOG_LEVEL: ${PDNS_LOG_LEVEL:-6}

    entrypoint: ["/bin/sh","-lc"]
    command:
      - |
        set -eu
        mkdir -p /etc/powerdns/pdns.d
        
        # Versuche Verzeichnis-Rechte zu setzen, ignoriere Fehler (Operation not permitted)
        chmod 777 /data || echo "Could not change /data permissions, hoping for the best..."
        
        PDNS_BIN=$$(which pdns_server || echo "/usr/local/sbin/pdns_server")
        DB_FILE="$${PDNS_GSQLITE3_DATABASE}"

        if [ "$${PDNS_LAUNCH}" = "gsqlite3" ] && [ ! -f "$$DB_FILE" ]; then
          echo "Initialisierung der Datenbank in $$DB_FILE"
          
          # Wir versuchen die Datei direkt zu erzeugen
          # Wenn das fehlschlägt, liegt es am Host-Mount
          if touch "$$DB_FILE" 2>/dev/null; then
             chmod 666 "$$DB_FILE"
             # Schema suchen
             SCHEMA=$$(find /usr -name schema.sqlite3.sql | head -n 1)
             if [ -n "$$SCHEMA" ]; then
                sqlite3 "$$DB_FILE" < "$$SCHEMA"
                echo "Schema erfolgreich importiert."
             fi
          else
             echo "FATAL: Keine Schreibrechte in /data. Bitte auf dem Host 'chmod 777' auf das Verzeichnis ausführen!"
             exit 1
          fi
        fi

        # Config schreiben
        cat > /etc/powerdns/pdns.d/99-env.conf <<EOF
        api=yes
        webserver=yes
        webserver-address=0.0.0.0
        webserver-port=8081
        api-key=$${PDNS_API_KEY}
        webserver-allow-from=$${PDNS_API_ALLOW_FROM}
        launch=gsqlite3
        gsqlite3-database=$$DB_FILE
        EOF

        exec $$PDNS_BIN --daemon=no --guardian=no --control-console


    volumes:
      - ${PDNS_DATA_PATH:-pdns-data}:/data

    networks:
      - proxy

    ports:
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/tcp"
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/udp"
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/tcp"
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/udp"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.powerdns.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns.entrypoints=${PDNS_TRAEFIK_ENTRYPOINT:-websecure}"
      - "traefik.http.routers.powerdns.tls=true"
      - "traefik.http.routers.powerdns.tls.certresolver=${PDNS_TRAEFIK_CERTRESOLVER:-letsencrypt}"
      - "traefik.http.services.powerdns.loadbalancer.server.port=8081"
      - "traefik.http.routers.powerdns-insecure.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns-insecure.entrypoints=web"
      - "traefik.http.routers.powerdns-insecure.middlewares=powerdns-redirect"
      - "traefik.http.middlewares.powerdns-redirect.redirectscheme.scheme=https"

volumes:
  pdns-data:

networks:
  proxy:
    external: true