# Secure Homelab Docker Compose Configuration
# Use with: docker-compose -f docker-compose.yml -f docker-compose.homelab-secure.yml up -d

services:
  api-server:
    build:
      context: .
      dockerfile: build/docker/simple.Dockerfile
    container_name: ml-experiments-api
    ports:
      - "9101:9101"
      - "9100:9100" # Prometheus metrics endpoint
    volumes:
      - ./data:/data/experiments
      - ./logs:/logs
      - ./ssl:/app/ssl:ro
      - ./configs/environments/config-homelab-secure.yaml:/app/configs/config.yaml:ro
      - ./.env.secure:/app/.env.secure:ro
    depends_on:
      redis:
        condition: service_healthy
    restart: unless-stopped
    environment:
      - REDIS_URL=redis://redis:6379
      - LOG_LEVEL=info
      # Load secure environment variables
      - JWT_SECRET_FILE=/app/.env.secure
    healthcheck:
      test: ["CMD", "curl", "-k", "-f", "https://localhost:9101/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    labels:
      logging: "promtail"
      job: "api-server"
    networks:
      - ml-experiments-network
      # Add internal network for secure communication
      - ml-backend-network

  # Add a reverse proxy for additional security
  nginx:
    image: nginx:alpine
    container_name: ml-experiments-nginx
    ports:
      - "443:443"
      - "80:80"  # Redirect to HTTPS
    volumes:
      - ./nginx/nginx-secure.conf:/etc/nginx/nginx.conf:ro
      - ./ssl:/etc/nginx/ssl:ro
    depends_on:
      - api-server
    restart: unless-stopped
    networks:
      - ml-experiments-network
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/health"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Redis with authentication
  redis:
    image: redis:7-alpine
    container_name: ml-experiments-redis
    ports:
      - "127.0.0.1:6379:6379"  # Bind to localhost only
    volumes:
      - redis_data:/data
      - ./redis/redis-secure.conf:/usr/local/etc/redis/redis.conf:ro
    restart: unless-stopped
    command: redis-server /usr/local/etc/redis/redis.conf --requirepass ${REDIS_PASSWORD:-your-redis-password}
    healthcheck:
      test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "${REDIS_PASSWORD:-your-redis-password}", "ping"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - ml-backend-network
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD:-your-redis-password}

volumes:
  redis_data:
    driver: local

networks:
  ml-experiments-network:
    external: true
  ml-backend-network:
    external: true