version: '3.8'

services:
  # ── PHP-FPM Application ──────────────────────────────────────────────────
  app:
    build:
      context: ..
      dockerfile: docker/Dockerfile
    container_name: nis2-app
    restart: unless-stopped
    mem_limit: 256m
    volumes:
      - ../application:/var/www/nis2-agile/application
      - ../public:/var/www/nis2-agile/public
      - nis2-uploads:/var/www/nis2-agile/public/uploads
    env_file:
      - ../.env
    environment:
      - APP_ENV=${APP_ENV:-production}
      - APP_DEBUG=${APP_DEBUG:-false}
      - DB_HOST=db
      - DB_PORT=3306
      - DB_NAME=${DB_NAME:-nis2_agile_db}
      - DB_USER=${DB_USER:-nis2_user}
      - DB_PASS=${DB_PASS}
      - JWT_SECRET=${JWT_SECRET}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
    networks:
      - nis2-network
    depends_on:
      db:
        condition: service_healthy

  # ── Nginx Web Server ─────────────────────────────────────────────────────
  web:
    image: nginx:1.27-alpine
    container_name: nis2-web
    restart: unless-stopped
    mem_limit: 128m
    ports:
      - "${WEB_PORT:-8080}:8080"
    volumes:
      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - ../public:/var/www/nis2-agile/public:ro
      - nis2-uploads:/var/www/nis2-agile/public/uploads:ro
    networks:
      - nis2-network
    depends_on:
      - app

  # ── MySQL Database ───────────────────────────────────────────────────────
  db:
    image: mysql:8.0
    container_name: nis2-db
    restart: unless-stopped
    mem_limit: 512m
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD:-rootpass}
      MYSQL_DATABASE: ${DB_NAME:-nis2_agile_db}
      MYSQL_USER: ${DB_USER:-nis2_user}
      MYSQL_PASSWORD: ${DB_PASS}
    ports:
      - "127.0.0.1:${DB_EXPOSE_PORT:-3307}:3306"
    volumes:
      - nis2-db-data:/var/lib/mysql
      - ../docs/sql/001_initial_schema.sql:/docker-entrypoint-initdb.d/001_initial_schema.sql:ro
      - ../docs/sql/002_email_log.sql:/docker-entrypoint-initdb.d/002_email_log.sql:ro
      - ../docs/sql/003_voluntary_compliance.sql:/docker-entrypoint-initdb.d/003_voluntary_compliance.sql:ro
      - ../docs/sql/004_ncr_capa.sql:/docker-entrypoint-initdb.d/004_ncr_capa.sql:ro
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${DB_ROOT_PASSWORD:-rootpass}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - nis2-network

# ── Volumes ──────────────────────────────────────────────────────────────
volumes:
  nis2-db-data:
    driver: local
  nis2-uploads:
    driver: local

# ── Networks ─────────────────────────────────────────────────────────────
networks:
  nis2-network:
    driver: bridge