# Secure Portal - Production Docker Compose
# Pull with: docker compose pull
# Start with: docker compose up -d

services:
    # PostgreSQL Database
    postgres:
        image: postgres:16-alpine
        container_name: secure-portal-db
        restart: unless-stopped
        environment:
            POSTGRES_USER: ${POSTGRES_USER}
            POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
            POSTGRES_DB: ${POSTGRES_DB}
        volumes:
            - postgres_data:/var/lib/postgresql/data
        healthcheck:
            test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
            interval: 10s
            timeout: 5s
            retries: 5

    # Redis Cache
    redis:
        image: redis:7-alpine
        container_name: secure-portal-redis
        restart: unless-stopped
        command: redis-server --appendonly yes --requirepass ${REDIS_PASSWORD}
        volumes:
            - redis_data:/data
        healthcheck:
            test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
            interval: 10s
            timeout: 3s
            retries: 5

    # Backend API
    backend:
        image: git.unixweb.net/unixweb/secure-portal-backend:latest
        container_name: secure-portal-backend
        restart: unless-stopped
        ports:
            - "3000:3000"
        environment:
            NODE_ENV: production
            PORT: 3000
            HOST: 0.0.0.0
            DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?schema=public
            REDIS_HOST: redis
            REDIS_PORT: 6379
            REDIS_PASSWORD: ${REDIS_PASSWORD}
            JWT_ACCESS_SECRET: ${JWT_ACCESS_SECRET}
            JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET}
            PASSWORD_RESET_URL: ${PASSWORD_RESET_URL}
            MAIL_PROVIDER: ${MAIL_PROVIDER:-brevo}
            MAIL_FROM_EMAIL: ${MAIL_FROM_EMAIL}
            MAIL_FROM_NAME: ${MAIL_FROM_NAME:-Secure Portal}
            BREVO_API_KEY: ${BREVO_API_KEY}
            ENCRYPTION_KEY: ${ENCRYPTION_KEY}
            CORS_ORIGIN: ${CORS_ORIGIN}
            FRONTEND_URL: ${FRONTEND_URL}
            SMTP_HOST: ${SMTP_HOST}
            SMTP_PORT: ${SMTP_PORT:-587}
            SMTP_USER: ${SMTP_USER}
            SMTP_PASSWORD: ${SMTP_PASSWORD}
            SMTP_SECURE: ${SMTP_SECURE:-false}
            LICENSE_SERVER_URL: ${LICENSE_SERVER_URL}
            LICENSE_KEY: ${LICENSE_KEY}
            ENABLE_REGISTER: ${ENABLE_REGISTER:-false}
            CLAMAV_HOST: clamav
            CLAMAV_PORT: 3310
            CLAMAV_ENABLED: ${CLAMAV_ENABLED:-true}
            UPLOAD_DIR: /app/uploads
        volumes:
            - backend_logs:/app/logs
            - uploads_data:/app/uploads
        depends_on:
            postgres:
                condition: service_healthy
            redis:
                condition: service_healthy

    # Frontend (Nginx)
    frontend:
        image: git.unixweb.net/unixweb/secure-portal-frontend:latest
        container_name: secure-portal-frontend
        restart: unless-stopped
        ports:
            - "8081:80"
        depends_on:
            - backend

    # ClamAV Virus Scanner
    clamav:
        image: clamav/clamav:latest
        container_name: secure-portal-clamav
        restart: unless-stopped
        volumes:
            - clamav_data:/var/lib/clamav
        healthcheck:
            test: ["CMD", "/usr/local/bin/clamdcheck.sh"]
            interval: 60s
            timeout: 10s
            retries: 3
            start_period: 120s

volumes:
    postgres_data:
    redis_data:
    uploads_data:
    clamav_data:
    backend_logs: