# SOCAR AI System - Production Docker Compose with SSL/TLS Support
# This configuration includes nginx reverse proxy with SSL termination
#
# Prerequisites:
# 1. Set up CAA DNS records for your domain (see docs/markdowns/SSL_CAA_SETUP.md)
# 2. Generate SSL certificates using certbot or your CA
# 3. Copy certificates to ./nginx/ssl/
#
# Usage:
#   docker-compose -f docker-compose.prod.yml up -d

version: '3.8'

services:
  # Nginx reverse proxy with SSL termination
  nginx:
    image: nginx:alpine
    container_name: socar-nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - ./nginx/ssl:/etc/nginx/ssl:ro
      - ./certbot/www:/var/www/certbot:ro
    depends_on:
      socar-ai-system:
        condition: service_healthy
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80/"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - socar-network
    labels:
      - "com.socar.service=nginx-proxy"
      - "com.socar.ssl=enabled"

  # Certbot for automatic SSL certificate renewal (Let's Encrypt)
  certbot:
    image: certbot/certbot:latest
    container_name: socar-certbot
    volumes:
      - ./nginx/ssl:/etc/letsencrypt:rw
      - ./certbot/www:/var/www/certbot:rw
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    networks:
      - socar-network
    labels:
      - "com.socar.service=certbot"
      - "com.socar.purpose=ssl-renewal"

  # Main SOCAR AI System
  socar-ai-system:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: socar-ai-system
    # Only expose internally to nginx (not to host)
    expose:
      - "8000"
    env_file:
      - .env
    environment:
      - PYTHONUNBUFFERED=1
      - PRODUCTION=true
      - HTTPS_ONLY=true
      - TRUSTED_HOSTS=${TRUSTED_HOSTS:-localhost}
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
      - socar-network
    labels:
      - "com.socar.description=SOCAR Historical Documents AI System"
      - "com.socar.features=OCR,LLM,Frontend"
      - "com.socar.version=1.0.0"
      - "com.socar.environment=production"

networks:
  socar-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16

# Volume for persistent SSL certificates
volumes:
  ssl-certs:
    driver: local