---
services:
  postgres:
    restart: always
    image: "postgres:15.1-alpine"
    container_name: phoenixDB # Hostname
    # logging:
    #   driver: loki
    #   options:
    #     loki-url: "${LOKI_URL}"
    #     loki-retries: "${LOKI_RETRIES}"
    #     loki-batch-size: "${LOKI_BATCH_SIZE}"
    #     loki-external-labels: "service=phx-postgres,env=prod"
    networks:
      - backend
    environment:
      DEBUG: true
      POSTGRES_DB: ${DB_NAME}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - "./database:/var/lib/postgresql/data"
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
      interval: 5s # Time between each health check
      timeout: 2s # Number of failures before marking as unhealthy
      retries: 5  # Grace period before health checks start
  pgadmin:
    image: dpage/pgadmin4
    container_name: pgAdmin4_Ui
    user: "5050:5050"
    # logging:
    #   driver: loki
    #   options:
    #     loki-url: "${LOKI_URL}"
    #     loki-retries: "${LOKI_RETRIES}"
    #     loki-batch-size: "${LOKI_BATCH_SIZE}"
    #     loki-external-labels: "service=phx-pgadmin,env=prod"
    networks:
      - backend
      - frontend
    environment:
      PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL}
      PGADMIN_DEFAULT_PASSWORD: ${SUPER_ADMIN_USER_PASSWORD}
      PGADMIN_CONFIG_SERVER_MODE: 'True'
      PGADMIN_CONFIG_WSGI_SCRIPT_NAME: "'/pgadmin4'"
      PGADMIN_CONFIG_PROXY_X_PROTO_COUNT: 1
      PGADMIN_SERVER_JSON_FILE: '/var/lib/pgadmin/servers.json'
      PGADMIN_REPLACE_SERVERS_ON_STARTUP: 'True'
      PGADMIN_CONFIG_DATA_DIR: "'/var/lib/pgadmin'"
      PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: 'False'

      # pgpass dynamic vars
      PGPASSFILE: /var/lib/pgadmin/pgpass
      PGPASS_HOST: ${DB_HOST}
      PGPASS_PORT: ${DB_PORT}
      PGPASS_DB: ${DB_NAME}
      PGPASS_USER: ${DB_USERNAME}
      PGPASS_PASSWORD: ${POSTGRES_PASSWORD}

      # Other config
      ALLOW_SAVE_PASSWORD: 'False'
      MFA_ENABLED: 'True'
      MFA_FORCE_REGISTRATION: 'False'
      MFA_SUPPORTED_METHODS: 'email'
      MFA_EMAIL_SUBJECT: 'Your MFA code by PHX-ERP'
      MAX_LOGIN_ATTEMPTS: 5
      ENHANCED_COOKIE_PROTECTION: 'True'
      SHOW_GRAVATAR_IMAGE: 'True'
      SECURITY_EMAIL_SENDER: ${SECURITY_EMAIL_SENDER}
      MAIL_SERVER: ${MAIL_SERVER}
      MAIL_PORT: ${MAIL_PORT}
      MAIL_USE_SSL: 'False'
      MAIL_USE_TLS: 'False'
      MAIL_USERNAME: ${MAIL_USERNAME}
      MAIL_PASSWORD: ${MAIL_PASSWORD}
      MAIL_DEBUG: 'False'
    volumes:
      - ./pgadmin/data:/var/lib/pgadmin
      - ./pgadmin/pgadmin-entrypoint.sh:/docker-entrypoint.sh:ro
    entrypoint: ["/bin/sh", "/docker-entrypoint.sh"]
    depends_on:
      postgres:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "-O", "-", "http://localhost:80/misc/ping"]
      interval: 15s
      timeout: 10s
      retries: 5
      start_period: 60s
  phoenix-app:
    restart: always
    image: "phxerp/phoenix-app:alpha"
    container_name: phoenixAppProd
    volumes:
      - "/opt/containers/phx/app_custom:/usr/share/nginx/html/assets/custom"
      - "/opt/containers/phx/nginx/nginx.conf:/etc/nginx/nginx.conf"
      - ./nginx/includes:/etc/nginx/includes:ro
    ports:
      - "8081:80" # This port might be relate to Traefik, needs to be checked, since this compose is different from our default compose.
      - "3000:3000" # Restrict to only allow access from Grafana Server IP
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.phxalpha.entrypoints=https"
      - "traefik.http.routers.phxalpha.rule=Host(`alpha.phx-erp.de`)"
      - "traefik.http.routers.phxalpha.middlewares=secHeaders@file"
      - "traefik.http.routers.phxalpha.tls=true"
      - "traefik.http.routers.phxalpha.tls.certresolver=http"
      - "traefik.http.routers.phxalpha.service=phxalpha"
      - "traefik.http.services.phxalpha.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      
      - "traefik.http.routers.phxalpha-insecure.entrypoints=http"
      - "traefik.http.routers.phxalpha-insecure.rule=Host(`alpha.phx-erp.de`)"
      - "traefik.http.routers.phxalpha-insecure.tls=false"
    networks:
      - backend
      - frontend
    depends_on:
      pgadmin:
        condition: service_healthy
  phoenix-system:
    restart: always
    image: "phxerp/phoenix-system:alpha"
    # logging:
    #   driver: loki
    #   options:
    #     loki-url: "${LOKI_URL}"
    #     loki-retries: "${LOKI_RETRIES}"
    #     loki-batch-size: "${LOKI_BATCH_SIZE}"
    #     loki-external-labels: "service=phoenix-system,env=prod"
    environment:
      - "DB_HOST=phoenixDB"
      - "DB_NAME=${DB_NAME}"
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
      - "DB_USERNAME=postgres"
      - "SUPER_ADMIN_USER_PASSWORD=${SUPER_ADMIN_USER_PASSWORD}"
      - "REDIS_PASSWORD=${REDIS_PASSWORD}"
      - RUN_JOB_QUEUE=${RUN_JOB_QUEUE}
      - NODE_ENV=${NODE_ENV}
    command: ["npm", "run", "start:server"]

    depends_on:
      postgres:
        condition: service_healthy
    volumes:
      - "./logs:/usr/src/app/packages/dev-server/logs"
      - "asset-data:/usr/src/app/packages/dev-server/assets"
      - "/opt/containers/phx/server_custom:/usr/src/app/packages/dev-server/custom" # it seems tobe no effect if we make changes, not 100% of sure!
    networks:
      - postgres
    deploy:
      replicas: 1
  phoenix-worker:
    restart: always
    image: "phxerp/phoenix-system:alpha"
    environment:
      - DB_HOST=phoenixDB
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
      - DB_USERNAME=postgres
      - "SUPER_ADMIN_USER_PASSWORD=${SUPER_ADMIN_USER_PASSWORD}"
      - REDIS_PASSWORD=${REDIS_PASSWORD}
    # command: ["npm", "run", "start:worker"]
    entrypoint: ./entrypoint-phoenix-worker.sh
    depends_on:
      postgres:
        condition: service_healthy
    volumes:
      #  - "/opt/containers/phx/assets:/usr/src/app/packages/dev-server/custo/assets"
      #  - "asset-data:/usr/src/app/packages/dev-server/assets"
      - "/opt/containers/phx/server_custom:/usr/src/app/packages/dev-server/custom"
      - "./logs:/usr/src/app/packages/dev-server/logs"
    networks:
      - postgres
  node_exporter:
    image: quay.io/prometheus/node-exporter:latest
    container_name: node_exporter
    ports:
      - "9100:9100"  # Exposing the metrics port
    networks:
      - metrics
    restart: unless-stopped
    command:
      - "--path.procfs=/host/proc"
      - "--path.sysfs=/host/sys"
      - "--path.rootfs=/host"
      - "--collector.filesystem.ignored-mount-points=^/(sys|proc|dev)($$|/)"
    volumes:
      - "/proc:/host/proc:ro"
      - "/sys:/host/sys:ro"
      - "/:/host:ro,rslave"
  phoenix-redis:
    image: 'bitnami/redis:latest'
    container_name: redis
    #command: redis-server --save 20 1 --appendonly no --requirepass ${REDIS_PASSWORD} --loglevel warning
    command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb --appendonly no
    user: root  # Non-root user in Bitnami images The /bitnami/redis/data directory inside the container is already owned by 1001, avoiding permission issues.
    restart: always
    environment:
      # REDIS_APPENDFSYNC: "always"
      ALLOW_EMPTY_PASSWORD: "no"
      # REDIS_DISABLE_COMMANDS: FLUSHDB,FLUSHALL,CONFIG
      REDIS_PASSWORD: ${REDIS_PASSWORD}
    healthcheck:
      test: [ "CMD", "redis-cli", "--raw", "incr", "ping" ]
    networks:
      - postgres
    volumes:
      - /opt/containers/phx/redis/data:/bitnami/redis/data
      - /opt/containers/phx/redis/tmp:/opt/bitnami/redis/tmp  # ✅ Fix permission issue
      # - /opt/containers/phx/redis/logs:/opt/bitnami/redis/logs  # ✅ Fix logs permission issue
      # - ./redis.conf:/opt/bitnami/redis/etc/redis.conf  # ✅ Use a writable redis.conf
volumes:
  db-data: null
  app-data: null
  asset-data: null
  pgadmin: null

networks:
  postgres:
    driver: bridge
  proxy:
    external: true
  metrics:
    driver: bridge