services:
  db:
    image: mysql:8.0
    container_name: stupa_db
    restart: unless-stopped
    command:
      [
        "mysqld",
        "--character-set-server=utf8mb4",
        "--collation-server=utf8mb4_unicode_ci",
        "--default-authentication-plugin=mysql_native_password",
      ]
    environment:
      MYSQL_DATABASE: ${MYSQL_DB:-stupa}
      MYSQL_USER: ${MYSQL_USER:-stupa}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-secret}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-rootsecret}
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "mysqladmin ping -h 127.0.0.1 -uroot -p${MYSQL_ROOT_PASSWORD:-rootsecret} --silent",
        ]
      interval: 10s
      timeout: 5s
      retries: 6
    ports:
      - "3306:3306"
    volumes:
      - db_data:/var/lib/mysql
    networks:
      - stupa_network

  redis:
    image: redis:7-alpine
    container_name: stupa_redis
    restart: unless-stopped
    command: redis-server --appendonly yes
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
    networks:
      - stupa_network

  api:
    build:
      context: ./backend
      dockerfile: Dockerfile
      network: host
    container_name: stupa_api
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
    environment:
      # Database
      MYSQL_HOST: db
      MYSQL_PORT: 3306
      MYSQL_DB: ${MYSQL_DB:-stupa}
      MYSQL_USER: ${MYSQL_USER:-stupa}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-secret}

      # Redis
      REDIS_HOST: redis
      REDIS_PORT: 6379

      # Security
      MASTER_KEY: ${MASTER_KEY:-change_me}
      JWT_SECRET_KEY: ${JWT_SECRET_KEY:-change_me_jwt}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY:-change_me_encryption}

      # OIDC Settings
      OIDC_ENABLED: ${OIDC_ENABLED:-false}
      OIDC_ISSUER: ${OIDC_ISSUER:-}
      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-}
      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-}
      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-http://localhost:3001/auth/callback}
      OIDC_ADMIN_GROUPS: ${OIDC_ADMIN_GROUPS:-admin}
      OIDC_BUDGET_REVIEWER_GROUPS: ${OIDC_BUDGET_REVIEWER_GROUPS:-haushaltsbeauftragte}
      OIDC_FINANCE_REVIEWER_GROUPS: ${OIDC_FINANCE_REVIEWER_GROUPS:-finanzreferent}
      OIDC_ASTA_GROUPS: ${OIDC_ASTA_GROUPS:-asta}

      # Email Settings
      EMAIL_ENABLED: ${EMAIL_ENABLED:-false}
      SMTP_HOST: ${SMTP_HOST:-localhost}
      SMTP_PORT: ${SMTP_PORT:-587}
      SMTP_USERNAME: ${SMTP_USERNAME:-}
      SMTP_PASSWORD: ${SMTP_PASSWORD:-}
      EMAIL_FROM: ${EMAIL_FROM:-noreply@example.com}
      EMAIL_FROM_NAME: ${EMAIL_FROM_NAME:-STUPA System}

      # Rate Limiting
      RATE_IP_PER_MIN: ${RATE_IP_PER_MIN:-60}
      RATE_KEY_PER_MIN: ${RATE_KEY_PER_MIN:-30}

      # Storage
      UPLOAD_DIR: /app/uploads
      TEMPLATE_DIR: /app/templates
      ATTACHMENT_STORAGE: ${ATTACHMENT_STORAGE:-filesystem}
      FILESYSTEM_PATH: /app/attachments

      # Workflow
      WORKFLOW_REQUIRED_VOTES: ${WORKFLOW_REQUIRED_VOTES:-5}
      WORKFLOW_APPROVAL_THRESHOLD: ${WORKFLOW_APPROVAL_THRESHOLD:-50.0}

      # Application
      FRONTEND_URL: ${FRONTEND_URL:-http://localhost:3001}
      ENVIRONMENT: ${ENVIRONMENT:-production}
      DEBUG: ${DEBUG:-false}
      TZ: ${TZ:-Europe/Berlin}
    ports:
      - "8000:8000"
    volumes:
      - ./backend/uploads:/app/uploads
      - ./backend/templates:/app/templates
      - ./backend/attachments:/app/attachments
      - pdf_forms:/app/pdf_forms
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:8000/health || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 6
    networks:
      - stupa_network

  frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile
      network: host
      args:
        - VITE_API_URL=${VITE_API_URL:-http://localhost:8000}
        - VITE_OIDC_ENABLED=${OIDC_ENABLED:-false}
        - VITE_EMAIL_ENABLED=${EMAIL_ENABLED:-false}
    container_name: stupa_frontend
    restart: unless-stopped
    depends_on:
      - api
    ports:
      - "3001:80"
    environment:
      - NODE_ENV=production
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://localhost/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 6
    networks:
      - stupa_network

  form_designer:
    image: node:18-alpine
    container_name: stupa_form_designer
    restart: unless-stopped
    working_dir: /app
    command: npm run dev
    depends_on:
      - api
    ports:
      - "3002:3000"
    volumes:
      - ./form-designer:/app
      - /app/node_modules
    environment:
      - NODE_ENV=development
      - VITE_API_URL=http://localhost:8000
    networks:
      - stupa_network
    profiles:
      - dev

  adminer:
    image: adminer:4
    container_name: stupa_adminer
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    environment:
      ADMINER_DEFAULT_SERVER: db
      ADMINER_DESIGN: pepa-linha-dark
    ports:
      - "8080:8080"
    networks:
      - stupa_network

  mailhog:
    image: mailhog/mailhog:latest
    container_name: stupa_mailhog
    restart: unless-stopped
    ports:
      - "1025:1025" # SMTP server
      - "8025:8025" # Web UI
    networks:
      - stupa_network
    profiles:
      - dev

volumes:
  db_data:
    driver: local
  redis_data:
    driver: local
  pdf_forms:
    driver: local

networks:
  stupa_network:
    driver: bridge