version: '3.8'

services:
  orchard-server:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "127.0.0.1:8080:8080"
    environment:
      - ORCHARD_SERVER_HOST=0.0.0.0
      - ORCHARD_SERVER_PORT=8080
      - ORCHARD_DATABASE_HOST=postgres
      - ORCHARD_DATABASE_PORT=5432
      - ORCHARD_DATABASE_USER=orchard
      - ORCHARD_DATABASE_PASSWORD=orchard_secret
      - ORCHARD_DATABASE_DBNAME=orchard
      - ORCHARD_DATABASE_SSLMODE=disable
      - ORCHARD_S3_ENDPOINT=http://minio:9000
      - ORCHARD_S3_REGION=us-east-1
      - ORCHARD_S3_BUCKET=orchard-artifacts
      - ORCHARD_S3_ACCESS_KEY_ID=minioadmin
      - ORCHARD_S3_SECRET_ACCESS_KEY=minioadmin
      - ORCHARD_S3_USE_PATH_STYLE=true
      - ORCHARD_REDIS_HOST=redis
      - ORCHARD_REDIS_PORT=6379
    depends_on:
      postgres:
        condition: service_healthy
      minio:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - orchard-network
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 3s
      start_period: 10s
      retries: 3
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 1g
    cpus: 1.0

  postgres:
    image: containers.global.bsf.tools/postgres:16-alpine
    environment:
      - POSTGRES_USER=orchard
      - POSTGRES_PASSWORD=orchard_secret
      - POSTGRES_DB=orchard
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./migrations:/docker-entrypoint-initdb.d:ro
    ports:
      - "127.0.0.1:5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - orchard-network
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 512m
    cpus: 0.5

  minio:
    image: containers.global.bsf.tools/minio/minio:latest
    command: server /data --console-address ":9001"
    environment:
      - MINIO_ROOT_USER=minioadmin
      - MINIO_ROOT_PASSWORD=minioadmin
    volumes:
      - minio-data:/data
    ports:
      - "127.0.0.1:9000:9000"
      - "127.0.0.1:9001:9001"
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - orchard-network
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 512m
    cpus: 0.5

  minio-init:
    image: containers.global.bsf.tools/minio/mc:latest
    depends_on:
      minio:
        condition: service_healthy
    entrypoint: >
      /bin/sh -c "
      mc alias set myminio http://minio:9000 minioadmin minioadmin;
      mc mb myminio/orchard-artifacts --ignore-existing;
      mc anonymous set download myminio/orchard-artifacts;
      exit 0;
      "
    networks:
      - orchard-network
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 128m
    cpus: 0.25

  redis:
    image: containers.global.bsf.tools/redis:7-alpine
    command: redis-server --appendonly yes
    volumes:
      - redis-data:/data
    ports:
      - "127.0.0.1:6379:6379"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - orchard-network
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 256m
    cpus: 0.25

volumes:
  postgres-data:
  minio-data:
  redis-data:

networks:
  orchard-network:
    driver: bridge