# Production-grade Docker Compose configuration
# Usage: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

version: '3.8'

services:
  workflowui:
    # Image from container registry
    image: ghcr.io/yourusername/metabuilder/workflowui:latest

    # Resource limits
    mem_limit: 2g
    memswap_limit: 4g
    cpus: '2.0'

    # Restart policy
    restart: always

    # Enhanced health check
    healthcheck:
      test: ["CMD", "sh", "-c", "wget --quiet --tries=1 --spider http://localhost:3000/api/health && wget --quiet --tries=1 --spider http://localhost:5000/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

    # Logging
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
        labels: "service=workflowui"

    # Security options
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

    # Read-only root filesystem (for base OS)
    read_only: false  # Set to true after testing - backend needs write access to /app/data and /app/logs

    # User context
    user: "1000:1000"  # Non-root user (if configured in Dockerfile)

    # Environment
    environment:
      - NODE_ENV=production
      - FLASK_ENV=production
      - NEXTAUTH_URL=https://workflowui.example.com
      - NEXTAUTH_SECRET_FILE=/run/secrets/nextauth_secret
      - DATABASE_URL=/app/data/workflows.db

    # Secrets (use Docker Secrets in Swarm mode)
    secrets:
      - nextauth_secret

    # Volumes with read-only options where possible
    volumes:
      - workflowui-data:/app/data
      - workflowui-logs:/app/logs

    # Network
    networks:
      - metabuilder-network

    # Labels for monitoring/orchestration
    labels:
      app: "workflowui"
      version: "1.0"
      environment: "production"
      monitoring: "true"

  smtp-relay:
    # Use stable tag for production
    image: ghcr.io/yourusername/metabuilder/smtp-relay:latest

    # Resource limits
    mem_limit: 512m
    memswap_limit: 1g
    cpus: '0.5'

    # Restart policy
    restart: always

    # Health check
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s

    # Logging
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "2"
        labels: "service=smtp-relay"

    # Security options
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

    # Environment
    environment:
      - SMTP_LISTEN_HOST=0.0.0.0
      - SMTP_LISTEN_PORT=2525
      - HTTP_LISTEN_HOST=127.0.0.1  # Only expose to localhost in production
      - HTTP_LISTEN_PORT=8080
      - GMAIL_USERNAME=${GMAIL_USERNAME}
      - GMAIL_APP_PASSWORD=${GMAIL_APP_PASSWORD}
      - FORWARD_TO=${FORWARD_TO}
      - ALLOW_ANY_RCPT=false
      - ADD_X_HEADERS=true
      - MAX_STORE=1000

    # Network
    networks:
      - metabuilder-network

    # Labels
    labels:
      app: "smtp-relay"
      version: "1.0"
      environment: "production"

volumes:
  workflowui-data:
    driver: local
    driver_opts:
      type: tmpfs  # Use local storage
      o: size=1gb
    labels:
      backup: "daily"
      retention: "30d"

  workflowui-logs:
    driver: local
    driver_opts:
      type: tmpfs
      o: size=500m

networks:
  metabuilder-network:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1500
    labels:
      environment: "production"

secrets:
  nextauth_secret:
    external: true  # Created separately: echo "your-secret" | docker secret create nextauth_secret -