# ROA2WEB Docker Compose - Production Configuration
# Use this file for production deployment: docker-compose -f docker-compose.yml -f docker-compose.production.yml up

version: '3.8'

services:
  # Backend production configuration
  roa-backend:
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: '1.0'
          memory: 1G
        reservations:
          cpus: '0.5'
          memory: 512M
      restart_policy:
        condition: on-failure
        delay: 10s
        max_attempts: 3
    environment:
      - DEBUG=false
      - ENVIRONMENT=production
      - WORKERS=4
      - ORACLE_PASSWORD_FILE=/run/secrets/oracle_password
      - JWT_SECRET_KEY_FILE=/run/secrets/jwt_secret_key
    command: ["python", "-m", "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "4"]
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "5"
    secrets:
      - oracle_password
      - jwt_secret_key
    depends_on:
      - roa-redis  # Only Redis dependency in production

  # Frontend production configuration
  roa-frontend:
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.25'
          memory: 128M
    environment:
      - NODE_ENV=production
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "3"

  # Gateway production configuration with SSL
  roa-gateway:
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
    environment:
      - ENVIRONMENT=production
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ssl-certs:/etc/letsencrypt
      - nginx-logs:/var/log/nginx
      - ./nginx/ssl:/etc/nginx/ssl:ro
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "5"

  # SSH Tunnel is disabled in production
  roa-ssh-tunnel:
    deploy:
      replicas: 0  # Disable SSH tunnel in production

  # Redis production configuration
  roa-redis:
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: '0.25'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 128M
    command: redis-server --appendonly yes --requirepass_file /run/secrets/redis_password --maxmemory 128mb --maxmemory-policy allkeys-lru
    secrets:
      - redis_password
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "3"

  # SSL Certificate Management (Let's Encrypt)
  certbot:
    image: certbot/certbot:latest
    container_name: roa-certbot
    volumes:
      - ssl-certs:/etc/letsencrypt
      - ./nginx/html:/var/www/certbot
    command: certonly --webroot --webroot-path=/var/www/certbot --email ${SSL_EMAIL} --agree-tos --no-eff-email --keep-until-expiring -d ${DOMAIN}
    depends_on:
      - roa-gateway

  # Monitoring and logging (optional)
  # Uncomment if you want to add monitoring
  # prometheus:
  #   image: prom/prometheus:latest
  #   container_name: roa-prometheus
  #   ports:
  #     - "9090:9090"
  #   volumes:
  #     - ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
  #   networks:
  #     - roa-network

  # grafana:
  #   image: grafana/grafana:latest
  #   container_name: roa-grafana
  #   ports:
  #     - "3001:3000"
  #   environment:
  #     - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD:-admin}
  #   volumes:
  #     - grafana-data:/var/lib/grafana
  #   networks:
  #     - roa-network

# Production secrets management
secrets:
  oracle_password:
    file: ./secrets/oracle_password.txt
  jwt_secret_key:
    file: ./secrets/jwt_secret_key.txt
  redis_password:
    file: ./secrets/redis_password.txt

# Additional volumes for production
# volumes:
#   grafana-data:
#     driver: local