services:
  backend:
    build:
      context: backend
      target: prod
    cap_drop:
      - all
    cap_add:
      - setuid
      - setgid
      - setfcap
    env_file:
      - docker.prod.env
    ports:
      - "8000:8000"
    restart: on-failure
    security_opt:
      - apparmor=unconfined
      - seccomp=unconfined
    volumes:
      # persist compilers + libraries
      - ./backend/compilers:/backend/compilers
      - ./backend/libraries:/backend/libraries
      # static files for django /admin control panel
      - ./backend/static:/backend/static
    tmpfs:
      # Use a separate tmpfs to prevent a rogue jailed process
      # from filling /tmp on the parent container
      - /sandbox/tmp:exec,uid=1000,gid=1000,size=64M,mode=0700
    networks:
      - decompme
    # uncommment for local testing
    # entrypoint: tail -f /dev/null

  frontend:
    build:
      context: frontend
      target: prod
    env_file:
      - docker.prod.env
    ports:
      - "8080:8080"
    restart: on-failure
    networks:
      - decompme

  nginx:
    build:
      context: nginx
    ports:
      - "80:80"
      - "443:443"
    restart: on-failure
    volumes:
      # repo files
      - ./nginx/production.conf:/etc/nginx/conf.d/default.conf:ro
      - ./frontend/down.html:/var/www/decomp.me/down.html:ro
      # certbot
      - ./certbot:/var/www/certbot
      - ./letsencrypt:/etc/letsencrypt
      # NOTE: /media is a "Project" feature, currently unused
      - ./backend/media:/media
      # static files for django /admin control panel
      - ./backend/static:/var/www/decomp.me/static
      # TODO: mount static + public files from frontend
    # BOOTSTRAP: allow nginx to start before backend/frontend containers are up
    #extra_hosts:
    #  - "backend=172.17.0.1"   # docker0 bridge
    #  - "frontend=172.17.0.1"  # docker0 bridge
    networks:
      - decompme

  certbot:
    image: certbot/certbot
    volumes:
      - ./certbot:/var/www/certbot
      - ./letsencrypt:/etc/letsencrypt
    entrypoint: "/bin/sh -c"
    command: >
      "trap exit TERM; while :; do sleep 12h & wait $${!}; certbot renew --webroot -w /var/www/certbot; done"
    networks:
      - decompme

  postgres:
    image: postgres:17
    env_file:
      - docker.prod.env
    # ports:
    #   - "5432:5432"
    restart: on-failure
    volumes:
      - ./postgres:/var/lib/postgresql/data
      # BOOTSTRAP: for dumping/restoring db
      - ./pgdump:/pgdump
    networks:
      - decompme
    command: >
      postgres
      -c shared_buffers=8GB
      -c work_mem=128MB
      -c maintenance_work_mem=2GB
      -c effective_cache_size=16GB
      -c wal_buffers=32MB
      -c checkpoint_completion_target=0.9
      -c random_page_cost=1.1
      -c effective_io_concurrency=300

networks:
  decompme:
    driver: bridge