version: '3.8'

services:
  session-manager:
    build:
      context: ./session-manager
      dockerfile: Dockerfile
    ports:
      - "8000:8000"
    volumes:
      # Mount TLS certificates for secure Docker API access
      - ./docker/certs:/etc/docker/certs:ro
      # Mount sessions directory for persistence
      - ./session-manager/sessions:/app/sessions
    environment:
      # Docker TLS configuration
      - DOCKER_TLS_VERIFY=0
      - DOCKER_CERT_PATH=/etc/docker/certs
      - DOCKER_HOST=http://docker-daemon:2375
      # Application configuration
      - MCP_SERVER=${MCP_SERVER:-http://localhost:8001}
      - OPENAI_API_KEY=${OPENAI_API_KEY:-}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
      - GOOGLE_API_KEY=${GOOGLE_API_KEY:-}
      - ZEN_API_KEY=${ZEN_API_KEY:-}
      # Certificate paths (configurable via environment)
      - DOCKER_CA_CERT=${DOCKER_CA_CERT:-/etc/docker/certs/ca.pem}
      - DOCKER_CLIENT_CERT=${DOCKER_CLIENT_CERT:-/etc/docker/certs/client-cert.pem}
      - DOCKER_CLIENT_KEY=${DOCKER_CLIENT_KEY:-/etc/docker/certs/client-key.pem}
      # Host configuration
      - DOCKER_HOST_IP=${DOCKER_HOST_IP:-host.docker.internal}
      - DOCKER_TLS_PORT=${DOCKER_TLS_PORT:-2376}
    networks:
      - lovdata-network
    restart: unless-stopped
    # Security: Run as non-root user and with no-new-privileges
    security_opt:
      - no-new-privileges:true
    # Resource limits for security
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'

  # Docker daemon (non-TLS for local development)
  # For production, use TLS with: ./docker/scripts/setup-docker-tls.sh
  docker-daemon:
    image: docker:dind
    privileged: true
    ports:
      - "2375:2375"
    volumes:
      # Docker data persistence
      - docker-data:/var/lib/docker
    environment:
      - DOCKER_TLS_CERTDIR=
    networks:
      - lovdata-network
    restart: unless-stopped
    command: --host=tcp://0.0.0.0:2375 --host=unix:///var/run/docker.sock

  # lovdata-mcp server is external - configured via MCP_SERVER environment variable

  caddy:
    image: caddy:2.7-alpine
    ports:
      - "8080:80"
      - "8443:443"
    volumes:
      - ./nginx/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - lovdata-network
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config: # Docker daemon data persistence

  docker-data:


networks:
  lovdata-network:
    driver: bridge