# Production Docker Compose Configuration
# This file provides production-specific settings with maximum security

version: '3.8'

services:
  # Backend - Production Security
  backend:
    # Remove external port exposure - only accessible via reverse proxy
    ports: []
    expose:
      - "3001"  # Internal only
    environment:
      NODE_ENV: production
      # Security settings
      API_DEBUG: false
      LOG_LEVEL: warn
      # Session security
      SESSION_SECURE: true
      SESSION_SAME_SITE: strict
      # Enhanced security headers
      ENABLE_SECURITY_HEADERS: true

  # PostgreSQL - Production Security
  postgres:
    # No external ports in production
    ports: []
    expose:
      - "5432"  # Internal only
    environment:
      # Production database settings
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}  # Must be set via environment
      POSTGRES_INITDB_ARGS: "--auth-host=scram-sha-256"
    # Additional security
    command: >
      postgres
      -c ssl=on
      -c ssl_cert_file=/var/lib/postgresql/server.crt
      -c ssl_key_file=/var/lib/postgresql/server.key
      -c log_connections=on
      -c log_disconnections=on
      -c log_statement=all

  # Redis - Production Security
  redis:
    # No external ports in production
    ports: []
    expose:
      - "6379"  # Internal only
    command: >
      redis-server
      --appendonly yes
      --requirepass ${REDIS_PASSWORD}
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
    environment:
      REDIS_PASSWORD: ${REDIS_PASSWORD}  # Must be set via environment

  # Data Retention - Production Security
  data-retention:
    # No external ports in production
    ports: []
    expose:
      - "3001"  # Internal only
    environment:
      NODE_ENV: production
      IMMEDIATE_CLEANUP: false

  # Frontend - Production Optimization
  frontend:
    environment:
      # Production optimizations
      NGINX_WORKER_PROCESSES: auto
      NGINX_WORKER_CONNECTIONS: 1024

  # Management - Production Optimization  
  management:
    environment:
      # Production optimizations
      NGINX_WORKER_PROCESSES: auto
      NGINX_WORKER_CONNECTIONS: 1024

  # Health Probe - Production Settings
  healthprobe:
    environment:
      PROBE_FAILRATE: 5  # Lower failure rate in production
      PROBE_INTERVAL_SECONDS: 300  # Less frequent in production

# Production-specific network settings
networks:
  drone-network:
    driver: bridge
    driver_opts:
      # Enhanced network security
      com.docker.network.bridge.enable_icc: "false"
      com.docker.network.bridge.enable_ip_masquerade: "true"
      com.docker.network.driver.mtu: 1500