paperless:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    container_name: paperless
    restart: unless-stopped
    command: ["runserver", "0.0.0.0:8000"]
    ports:
      - "8000:8000"
    volumes:
      - ../data/paperless:/usr/src/paperless/data
      - ../config/paperless/media:/usr/src/paperless/media
      - ../config/paperless/export:/usr/src/paperless/export
      - ../config/paperless/consume:/usr/src/paperless/consume
      - ../config/paperless/src/paperless/custom_settings.py:/usr/src/paperless/src/paperless/custom_settings.py
    environment:
      # Base Configuration
      - PAPERLESS_SETTINGS_MODULE=paperless.settings_custom
      - PAPERLESS_ADMIN_USER=${PAPERLESS_ADMIN_USER}
      - PAPERLESS_ADMIN_PASSWORD=${PAPERLESS_ADMIN_PASSWORD}
      - PAPERLESS_SECRET_KEY=${PAPERLESS_SECRET_KEY}
      - PAPERLESS_URL=https://docs.mrx8086.com
      - PAPERLESS_ALLOWED_HOSTS=docs.mrx8086.com
      - PAPERLESS_REDIS=redis://paperless-redis:6379
      - PAPERLESS_DBHOST=paperless-db
      - PAPERLESS_DBPORT=5432
      - PAPERLESS_DBNAME=paperless
      - PAPERLESS_DBUSER=${PAPERLESS_DB_USER}
      - PAPERLESS_DBPASS=${PAPERLESS_DB_PASSWORD}
      - PAPERLESS_LOGGING_LEVEL=DEBUG
      
      # OIDC Base Settings
      - PAPERLESS_OIDC_ENABLED=true
      - PAPERLESS_OIDC_DEBUG=true
      - PAPERLESS_DJANGO_LOGIN_REDIRECT_URL=/
      - PAPERLESS_OIDC_RP_PROVIDER_URL=https://auth.mrx8086.com/realms/office-automation
      - PAPERLESS_OIDC_RP_CLIENT_ID=paperless
      - PAPERLESS_OIDC_RP_CLIENT_SECRET=${PAPERLESS_CLIENT_SECRET}
      - PAPERLESS_OIDC_CALLBACK_URL=https://docs.mrx8086.com/oidc/callback/
      
      # OIDC Endpoints
      - PAPERLESS_OIDC_AUTH_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/auth
      - PAPERLESS_OIDC_TOKEN_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/token
      - PAPERLESS_OIDC_USERINFO_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/userinfo
      - PAPERLESS_OIDC_JWKS_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/certs
      
      # OIDC Claims and Scopes
      - PAPERLESS_OIDC_RP_SCOPE=openid profile email
      - PAPERLESS_OIDC_RP_USERNAME_CLAIM=preferred_username
      - PAPERLESS_OIDC_RP_NAME_CLAIM=name
      - PAPERLESS_OIDC_RP_EMAIL_CLAIM=email
      
      # OIDC Security Settings
      - PAPERLESS_OIDC_RP_SIGN_ALGO=RS256
      - PAPERLESS_OIDC_RP_VERIFY_SSL=true
      - PAPERLESS_OIDC_USE_PKCE=true
      - PAPERLESS_OIDC_CREATE_USER=true
      - "PAPERLESS_OIDC_USER_CLAIM_MAPPING={\"preferred_username\": \"username\", \"email\": \"email\", \"name\": \"name\"}"
      
      # OIDC Token Management
      - PAPERLESS_OIDC_RP_RENEW_TOKEN_BEFORE_EXPIRY=true

      # Proxy Settings (Added)
      - PAPERLESS_FORCE_SCRIPT_NAME=
      - PAPERLESS_PROXY_SSL=true
      - PAPERLESS_USE_X_FORWARD_HOST=true
      - PAPERLESS_USE_X_FORWARD_PORT=true
      
    depends_on:
      - paperless-db
      - paperless-redis
    networks:
      - paperless-network
    extra_hosts:
      - "auth.mrx8086.com:172.23.171.133"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/"]
      interval: 30s
      timeout: 10s
      retries: 3