version: '3.8'

networks:
  default:
    name: x-ui-network
    driver: bridge

volumes:
  x-ui-data:
    driver: local
  x-ui-cert:
    driver: local

services:
  3x-ui:
    image: ghcr.io/mhsanaei/3x-ui:latest
    container_name: 3x-ui
    hostname: ${HOSTNAME:-3x-ui}
    restart: unless-stopped
    environment:
      XRAY_VMESS_AEAD_FORCED: ${XRAY_VMESS_AEAD_FORCED:-false}
      XUI_ENABLE_FAIL2BAN: ${XUI_ENABLE_FAIL2BAN:-true}
      # Database configuration (defaults to SQLite)
      DB_TYPE: ${DB_TYPE:-sqlite}
      DB_HOST: ${DB_HOST:-localhost}
      DB_PORT: ${DB_PORT:-5432}
      DB_NAME: ${DB_NAME:-x_ui}
      DB_USER: ${DB_USER:-x_ui}
      DB_PASSWORD: ${DB_PASSWORD}
      DB_SSLMODE: ${DB_SSLMODE:-disable}
      DB_TIMEZONE: ${DB_TIMEZONE:-UTC}
    volumes:
      # Use named volumes for better data management
      - x-ui-data:/etc/x-ui/
      - x-ui-cert:/root/cert/
      # Fallback to bind mounts for compatibility
      # - $PWD/db/:/etc/x-ui/
      # - $PWD/cert/:/root/cert/
    ports:
      - "${XUI_PORT:-2053}:2053"
      - "${XUI_SUB_PORT:-2096}:2096"
    # Use host network for simple setups (comment out ports above if using this)
    # network_mode: host
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:2053/login"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    cap_add:
      - NET_ADMIN
    security_opt:
      - no-new-privileges:true
    tty: true