version: '3.8'

services:
  session-manager:
    build:
      context: ./session-manager
      dockerfile: Dockerfile
    ports:
      - "8000:8000"
    volumes:
      # Mount TLS certificates for secure Docker API access
      - ./docker/certs:/etc/docker/certs:ro
      # Mount sessions directory for persistence
      - ./session-manager/sessions:/app/sessions
    environment:
      # Docker TLS configuration
      - DOCKER_TLS_VERIFY=1
      - DOCKER_CERT_PATH=/etc/docker/certs
      - DOCKER_HOST=tcp://host.docker.internal:2376
      # Application configuration
      - MCP_SERVER=${MCP_SERVER:-http://localhost:8001}
      - OPENAI_API_KEY=${OPENAI_API_KEY:-}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
      - GOOGLE_API_KEY=${GOOGLE_API_KEY:-}
      # Certificate paths (configurable via environment)
      - DOCKER_CA_CERT=${DOCKER_CA_CERT:-/etc/docker/certs/ca.pem}
      - DOCKER_CLIENT_CERT=${DOCKER_CLIENT_CERT:-/etc/docker/certs/client-cert.pem}
      - DOCKER_CLIENT_KEY=${DOCKER_CLIENT_KEY:-/etc/docker/certs/client-key.pem}
      # Host configuration
      - DOCKER_HOST_IP=${DOCKER_HOST_IP:-host.docker.internal}
      - DOCKER_TLS_PORT=${DOCKER_TLS_PORT:-2376}
    networks:
      - lovdata-network
    restart: unless-stopped
    # Security: Run as non-root user and with no-new-privileges
    security_opt:
      - no-new-privileges:true
    # Resource limits for security
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'

  # Docker daemon with TLS enabled (must be configured separately)
  # Run: ./docker/scripts/setup-docker-tls.sh after generating certificates
  docker-daemon:
    image: docker:dind
    privileged: true
    ports:
      - "${DOCKER_TLS_PORT:-2376}:2376"
    volumes:
      # Mount TLS certificates
      - ./docker/certs:/etc/docker/certs:ro
      # Mount daemon configuration
      - ./docker/daemon.json:/etc/docker/daemon.json:ro
      # Docker data persistence
      - docker-data:/var/lib/docker
    environment:
      - DOCKER_TLS_CERTDIR=/etc/docker/certs
    networks:
      - lovdata-network
    restart: unless-stopped
    # Only expose TLS port, not the socket
    command: --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem

  # lovdata-mcp server is external - configured via MCP_SERVER environment variable

  caddy:
    image: caddy:2.7-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - lovdata-network
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config:
  # Docker daemon data persistence
  docker-data:

networks:
  lovdata-network:
    driver: bridge