services:

  # ── MySQL ────────────────────────────────────────────────────────────────────
  # MYSQL_ROOT_PASSWORD and MYSQL_PASSWORD should each be 20+ random characters.
  # Generate with: openssl rand -hex 16
  db:
    image: mysql:8.0.45
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
    env_file: .env
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE:      ${MYSQL_DATABASE}
      MYSQL_USER:          ${MYSQL_USER}
      MYSQL_PASSWORD:      ${MYSQL_PASSWORD}
    volumes:
      - mysql_data:/var/lib/mysql                          # persistent data
      - ./mysql/init.sql:/docker-entrypoint-initdb.d/init.sql:ro  # run once on first start
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${MYSQL_ROOT_PASSWORD}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - backend

  # ── FastAPI ──────────────────────────────────────────────────────────────────
  api:
    build: ./backend
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 256M
    env_file: .env
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      DATABASE_URL:     mysql+pymysql://${MYSQL_USER}:${MYSQL_PASSWORD}@db/${MYSQL_DATABASE}
      ADMIN_USERNAME:   ${ADMIN_USERNAME}
      ADMIN_PASSWORD:   ${ADMIN_PASSWORD}
      JWT_SECRET:       ${JWT_SECRET}
      NTFY_URL:         ${NTFY_URL:-}
      NTFY_TOKEN:       ${NTFY_TOKEN:-}
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/api/health')"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 15s
    depends_on:
      db:
        condition: service_healthy   # wait for MySQL to be ready before starting
    networks:
      - backend

  # ── Nginx ────────────────────────────────────────────────────────────────────
  nginx:
    image: nginx:1.29.6-alpine
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 64M
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    ports:
      - "8056:80"
    volumes:
      - ./nginx/html:/usr/share/nginx/html:ro      # static files — edit locally, live immediately
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro  # nginx config
    depends_on:
      - api
    networks:
      - backend

# ── Volumes ───────────────────────────────────────────────────────────────────
volumes:
  mysql_data:   # survives container restarts and rebuilds

# ── Networks ──────────────────────────────────────────────────────────────────
networks:
  backend:
    driver: bridge