# ──────────────────────────────────────────────────────────────
#  BanGUI — Production Compose
#
#  Usage:
#    docker compose -f Docker/compose.prod.yml up -d
#    podman compose -f Docker/compose.prod.yml up -d
#
#  Features:
#    - Multi-stage built images (no volume-mounted source code)
#    - Frontend served by nginx with API reverse proxy
#    - Backend running uvicorn without --reload
#    - Only port 8080 exposed to host
# ──────────────────────────────────────────────────────────────

name: bangui

services:
  # ── fail2ban ─────────────────────────────────────────────────
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: bangui-fail2ban
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    environment:
      TZ: "${BANGUI_TIMEZONE:-UTC}"
      PUID: 0
      PGID: 0
    volumes:
      - ../data/fail2ban-dev-config:/config
      - fail2ban-run:/var/run/fail2ban
      - /var/log:/var/log:ro
      - ../data/log:/remotelogs/bangui
    healthcheck:
      test: ["CMD", "fail2ban-client", "ping"]
      interval: 30s
      timeout: 5s
      start_period: 15s
      retries: 3

  # ── Backend (FastAPI + uvicorn) ─────────────────────────────
  backend:
    build:
      context: ..
      dockerfile: Docker/Dockerfile.backend
      target: runtime
    container_name: bangui-backend
    restart: unless-stopped
    stop_grace_period: 30s  # Give lifespan 30s to complete before SIGKILL
    depends_on:
      fail2ban:
        condition: service_healthy
    environment:
      BANGUI_DATABASE_PATH: "/data/bangui.db"
      BANGUI_FAIL2BAN_SOCKET: "/var/run/fail2ban/fail2ban.sock"
      BANGUI_FAIL2BAN_CONFIG_DIR: "/config/fail2ban"
      BANGUI_LOG_FILE: "/data/log/bangui.log"
      BANGUI_LOG_LEVEL: "${BANGUI_LOG_LEVEL:-info}"
      BANGUI_SESSION_SECRET: "${BANGUI_SESSION_SECRET:?BANGUI_SESSION_SECRET must be set — generate with: python -c 'import secrets; print(secrets.token_hex(32))'}"
      BANGUI_TIMEZONE: "${BANGUI_TIMEZONE:-UTC}"
      BANGUI_SESSION_COOKIE_SECURE: "${BANGUI_SESSION_COOKIE_SECURE:-true}"
      BANGUI_CORS_ALLOWED_ORIGINS: "${BANGUI_CORS_ALLOWED_ORIGINS:-}"
    volumes:
      - ../data:/data
      - ../fail2ban-master:/app/fail2ban-master:ro
      - fail2ban-run:/var/run/fail2ban:ro
      - ../data/fail2ban-dev-config:/config:rw
    networks:
      - bangui-net
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:8000/api/v1/health/live || exit 1"]
      interval: 30s
      timeout: 10s
      start_period: 40s
      retries: 3

  # ── Frontend (nginx serving built SPA) ──────────────────────
  frontend:
    build:
      context: ..
      dockerfile: Docker/Dockerfile.frontend
    container_name: bangui-frontend
    restart: unless-stopped
    depends_on:
      backend:
        condition: service_healthy
    ports:
      - "${BANGUI_PORT:-8080}:80"
    networks:
      - bangui-net
    healthcheck:
      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:80/ || exit 1"]
      interval: 30s
      timeout: 5s
      start_period: 5s
      retries: 3

volumes:
  fail2ban-run:
    driver: local

networks:
  bangui-net:
    driver: bridge