services:
  php:
    build:
      context: .
      target: frankenphp_prod
    image: yourapp/php:prod
    restart: unless-stopped
    environment:
      # --- Symfony / App ---
      APP_ENV: prod
      APP_SECRET: ${APP_SECRET}
      # trust your proxy/load balancer networks, adjust as needed
      TRUSTED_PROXIES: ${TRUSTED_PROXIES:-127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}
      TRUSTED_HOSTS: ${TRUSTED_HOSTS:-.+}
      # Set SERVER_NAME to your domain for automatic TLS, or :80 if behind a reverse proxy
      SERVER_NAME: ${SERVER_NAME:-:80}
      # --- Mercure (Caddy module) ---
      MERCURE_PUBLISHER_JWT_KEY: ${MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      MERCURE_SUBSCRIBER_JWT_KEY: ${MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      MERCURE_PUBLISHER_JWT_ALG: ${MERCURE_PUBLISHER_JWT_ALG:-HS256}
      MERCURE_SUBSCRIBER_JWT_ALG: ${MERCURE_SUBSCRIBER_JWT_ALG:-HS256}
      # --- Nostr Relay ---
      RELAY_DOMAIN: ${RELAY_DOMAIN:-relay.localhost}
      NOSTR_DEFAULT_RELAY: ${NOSTR_DEFAULT_RELAY:-ws://strfry:7777}
      # --- Database URL (optional: prefer .env.prod) ---
      # DATABASE_URL: ${DATABASE_URL}
    ports:
      - target: 80
        published: 80
        protocol: tcp
      # HTTPS port - required when Caddy handles TLS (SERVER_NAME is a domain, not :80)
      - target: 443
        published: 443
        protocol: tcp
      # HTTP/3 (QUIC) - optional but recommended for performance
      - target: 443
        published: 443
        protocol: udp
    volumes:
      # Caddy state (TLS certs, etc.). Safe to persist.
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      database:
        condition: service_healthy
      strfry:
        condition: service_started

  worker:
    build:
      context: .
      target: frankenphp_prod       # use the prod stage so vendor/ is baked in
    image: yourapp/worker:prod
    working_dir: /app
    entrypoint: ["php"]
    command:
      - bin/console
      - messenger:consume
      - -vv
      - --memory-limit=256M
      - --keepalive
      - "10"
      - async
    restart: unless-stopped
    depends_on:
      php:
        condition: service_started
      database:
        condition: service_healthy
    ports: []
    expose: []
    volumes: []                     # IMPORTANT: no bind mount in prod

  database:
    image: postgres:${POSTGRES_VERSION:-16}-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-app}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-!ChangeMe!}
      POSTGRES_USER: ${POSTGRES_USER:-app}
    volumes:
      - database_data:/var/lib/postgresql/data:rw
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d ${POSTGRES_DB:-app} -U ${POSTGRES_USER:-app}"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 60s

###> strfry relay ###
  strfry:
    image: dockurr/strfry:latest
    restart: unless-stopped
    command:
      - /bin/sh
      - -c
      - |
        ./strfry relay /etc/strfry.conf &
        ./strfry router /etc/router.conf &
        wait
    volumes:
      - ./docker/strfry/strfry.conf:/etc/strfry.conf:ro
      - ./docker/strfry/write-policy.sh:/app/write-policy.sh:ro
      - ./docker/strfry/router.conf:/etc/router.conf:ro
      - strfry_data:/var/lib/strfry
###< strfry relay ###

volumes:
  caddy_data:
  caddy_config:
  database_data:
  strfry_data: