# =============================================================================
# tOS Local Docker Compose (Full-Stack)
# =============================================================================
# Lokaler Full-Stack zum Testen der containerisierten Anwendung.
# Alle Services laufen containerisiert mit exponierten Ports.
#
# Start:   docker compose -f docker-compose.local.yml up -d --build
# Stop:    docker compose -f docker-compose.local.yml down
# Reset:   docker compose -f docker-compose.local.yml down -v
#
# Unterschied zum Dev-Stack (docker-compose.yml):
#   - Dev-Stack: Nur Infra (Postgres, Redis, Keycloak), Apps laufen nativ
#   - Local-Stack: Alle Services containerisiert (nahe an Produktion)
# =============================================================================

name: tos-local

services:
  # ---------------------------------------------------------------------------
  # PostgreSQL Database
  # ---------------------------------------------------------------------------
  postgres:
    image: postgres:16-alpine
    container_name: tos-postgres-local
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-tos_user}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
      POSTGRES_DB: ${POSTGRES_DB:-tos_db}
      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
    ports:
      - "5432:5432"
    volumes:
      - postgres_local_data:/var/lib/postgresql/data
      - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s
    networks:
      - tos-local-network

  # ---------------------------------------------------------------------------
  # Redis Cache & Queue
  # ---------------------------------------------------------------------------
  redis:
    image: redis:7-alpine
    container_name: tos-redis-local
    restart: unless-stopped
    command: redis-server --appendonly yes
    ports:
      - "6379:6379"
    volumes:
      - redis_local_data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - tos-local-network

  # ---------------------------------------------------------------------------
  # Keycloak Identity & Access Management (Dev Mode)
  # ---------------------------------------------------------------------------
  keycloak:
    image: quay.io/keycloak/keycloak:24.0
    container_name: tos-keycloak-local
    restart: unless-stopped
    command:
      - start-dev
      - --import-realm
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
      KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
      KC_HOSTNAME: localhost
      KC_HOSTNAME_STRICT: "false"
      KC_HOSTNAME_STRICT_HTTPS: "false"
      KC_HTTP_ENABLED: "true"
      KC_HEALTH_ENABLED: "true"
    ports:
      - "8080:8080"
    volumes:
      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
    healthcheck:
      # Keycloak 24+ (UBI9) hat kein curl - nutze bash TCP redirect
      test: >
        bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
        echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
        timeout 2 cat <&3 | grep -q "200 OK"'
      interval: 30s
      timeout: 15s
      retries: 5
      start_period: 90s
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - tos-local-network

  # ---------------------------------------------------------------------------
  # tOS API (NestJS Backend)
  # ---------------------------------------------------------------------------
  api:
    build:
      context: ..
      dockerfile: apps/api/Dockerfile
    container_name: tos-api-local
    restart: unless-stopped
    environment:
      NODE_ENV: production
      PORT: "3001"
      API_PREFIX: api
      DATABASE_URL: postgresql://${POSTGRES_USER:-tos_user}:${POSTGRES_PASSWORD:-tos_local_password}@postgres:5432/tos_app
      JWT_SECRET: ${JWT_SECRET:-local-jwt-secret-not-for-production-use}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY:-local-encryption-key-32-bytes-long!!}
      KEYCLOAK_URL: http://keycloak:8080
      KEYCLOAK_REALM: tOS
      KEYCLOAK_CLIENT_ID: tos-backend
      KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET:-}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
      REDIS_HOST: redis
      REDIS_PORT: "6379"
      SETUP_TOKEN: ${SETUP_TOKEN:-local-setup-token-for-testing}
    ports:
      - "3001:3001"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
      keycloak:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/api/v1/health/liveness || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    networks:
      - tos-local-network

  # ---------------------------------------------------------------------------
  # tOS Web Frontend (Next.js)
  # ---------------------------------------------------------------------------
  # HINWEIS zum Keycloak-Issuer-Problem in Docker:
  # Next.js/NextAuth validiert Tokens server-seitig gegen den Issuer.
  # Der Browser erreicht Keycloak ueber localhost:8080, aber der Container
  # muss ueber den Docker-Netzwerknamen "keycloak:8080" zugreifen.
  #
  # Loesung: KEYCLOAK_ISSUER fuer Browser-Redirects (localhost),
  #          NEXTAUTH_KEYCLOAK_ISSUER fuer server-seitige Validierung (Docker-intern)
  # ---------------------------------------------------------------------------
  web:
    build:
      context: ..
      dockerfile: apps/web/Dockerfile
    container_name: tos-web-local
    restart: unless-stopped
    environment:
      NEXT_PUBLIC_APP_URL: http://localhost:3000
      NEXT_PUBLIC_API_URL: http://localhost:3001/api/v1
      NEXTAUTH_URL: http://localhost:3000
      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-local-nextauth-secret}
      KEYCLOAK_CLIENT_ID: tos-nextauth
      KEYCLOAK_CLIENT_SECRET: ${NEXTAUTH_KEYCLOAK_CLIENT_SECRET:-tos-nextauth-secret-dev}
      # Browser-seitige Redirects: localhost (erreichbar vom Host)
      KEYCLOAK_ISSUER: http://localhost:8080/realms/tOS
      # Server-seitige Token-Validierung: Docker-internes Netzwerk
      NEXTAUTH_KEYCLOAK_ISSUER: http://keycloak:8080/realms/tOS
    ports:
      - "3000:3000"
    depends_on:
      api:
        condition: service_healthy
    networks:
      - tos-local-network

# =============================================================================
# Volumes
# =============================================================================
volumes:
  postgres_local_data:
    name: tos-local-postgres-data
  redis_local_data:
    name: tos-local-redis-data

# =============================================================================
# Networks
# =============================================================================
networks:
  tos-local-network:
    name: tos-local-network
    driver: bridge