# ──────────────────────────────────────────────────────────────
#  BanGUI — Production Compose
#
#  Compatible with:
#    docker compose -f Docker/compose.prod.yml up -d
#    podman compose  -f Docker/compose.prod.yml up -d
#    podman-compose  -f Docker/compose.prod.yml up -d
#
#  Prerequisites:
#    Create a .env file at the project root (or pass --env-file):
#      BANGUI_SESSION_SECRET=<random-secret>
# ──────────────────────────────────────────────────────────────

name: bangui

services:
  # ── fail2ban ─────────────────────────────────────────────────
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: bangui-fail2ban
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    environment:
      TZ: "${BANGUI_TIMEZONE:-UTC}"
      PUID: 0
      PGID: 0
    volumes:
      - fail2ban-config:/config
      - fail2ban-run:/var/run/fail2ban
      - /var/log:/var/log:ro
    healthcheck:
      test: ["CMD", "fail2ban-client", "ping"]
      interval: 30s
      timeout: 5s
      start_period: 15s
      retries: 3
    # NOTE: The fail2ban-config volume must be pre-populated with the following files:
    #   • fail2ban/jail.conf (or jail.d/*.conf) with the DEFAULT section containing:
    #     banaction = iptables-allports[lockingopt="-w 5"]
    #   This prevents xtables lock contention errors when multiple jails start in parallel.
    #   See https://fail2ban.readthedocs.io/en/latest/development/environment.html

  # ── Backend (FastAPI + uvicorn) ─────────────────────────────
  backend:
    build:
      context: ..
      dockerfile: Docker/Dockerfile.backend
    container_name: bangui-backend
    restart: unless-stopped
    depends_on:
      fail2ban:
        condition: service_healthy
    environment:
      BANGUI_DATABASE_PATH: "/data/bangui.db"
      BANGUI_FAIL2BAN_SOCKET: "/var/run/fail2ban/fail2ban.sock"
      BANGUI_FAIL2BAN_CONFIG_DIR: "/config/fail2ban"
      BANGUI_LOG_LEVEL: "info"
      BANGUI_SESSION_SECRET: "${BANGUI_SESSION_SECRET:?Set BANGUI_SESSION_SECRET}"
      BANGUI_TIMEZONE: "${BANGUI_TIMEZONE:-UTC}"
    volumes:
      - bangui-data:/data
      - fail2ban-run:/var/run/fail2ban:ro
      - fail2ban-config:/config:rw
    expose:
      - "8000"
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/api/health')"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3
    networks:
      - bangui-net

  # ── Frontend (nginx serving built SPA + API proxy) ──────────
  frontend:
    build:
      context: ..
      dockerfile: Docker/Dockerfile.frontend
    container_name: bangui-frontend
    restart: unless-stopped
    ports:
      - "${BANGUI_PORT:-8080}:80"
    depends_on:
      backend:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "-qO", "/dev/null", "http://localhost:80/"]
      interval: 30s
      timeout: 5s
      start_period: 5s
      retries: 3
    networks:
      - bangui-net

volumes:
  bangui-data:
    driver: local
  fail2ban-config:
    driver: local
  fail2ban-run:
    driver: local

networks:
  bangui-net:
    driver: bridge