version: '3.8'

# Gondulf Production Configuration - nginx Reverse Proxy with TLS
# Usage: podman-compose -f docker-compose.yml -f docker-compose.production.yml up -d
# Or:    docker-compose -f docker-compose.yml -f docker-compose.production.yml up -d

services:
  gondulf:
    # Remove direct port exposure in production (nginx handles external access)
    ports: []

    # Production environment settings
    environment:
      - GONDULF_HTTPS_REDIRECT=true
      - GONDULF_SECURE_COOKIES=true
      - GONDULF_TRUST_PROXY=true
      - GONDULF_DEBUG=false
      - GONDULF_LOG_LEVEL=INFO

  nginx:
    image: nginx:1.25-alpine
    container_name: gondulf_nginx
    restart: unless-stopped

    # External ports
    ports:
      - "80:80"
      - "443:443"

    # Configuration and SSL certificates
    volumes:
      - ./deployment/nginx/conf.d:/etc/nginx/conf.d:ro
      - ./deployment/nginx/ssl:/etc/nginx/ssl:ro
      # Optional: Let's Encrypt challenge directory
      # - ./deployment/nginx/certbot:/var/www/certbot:ro

    # Wait for Gondulf to be healthy
    depends_on:
      gondulf:
        condition: service_healthy

    networks:
      - gondulf_network

    # nginx health check
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/health"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 5s