version: '3.8'

services:
  postgres:
    image: docker.io/library/postgres:15-alpine
    container_name: kms-postgres
    environment:
      POSTGRES_DB: kms
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./migrations:/docker-entrypoint-initdb.d:Z
    networks:
      - kms-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d kms"]
      interval: 10s
      timeout: 5s
      retries: 5

  nginx:
    image: docker.io/library/nginx:alpine
    container_name: kms-nginx
    ports:
      - "8081:80"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro,Z
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro,Z
    depends_on:
      - api-service
      - frontend
    networks:
      - kms-network

  api-service:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: kms-api-service
    environment:
      APP_ENV: development
      DB_HOST: postgres
      DB_PORT: 5432
      DB_NAME: kms
      DB_USER: postgres
      DB_PASSWORD: postgres
      DB_SSLMODE: disable
      DB_CONN_MAX_LIFETIME: 5m
      DB_MAX_OPEN_CONNS: 25
      DB_MAX_IDLE_CONNS: 5
      SERVER_HOST: 0.0.0.0
      SERVER_PORT: 8080
      LOG_LEVEL: debug
      MIGRATION_PATH: /app/migrations
      INTERNAL_HMAC_KEY: 3924f352b7ea63b27db02bf4b0014f2961a5d2f7c27643853a4581bb3a5457cb
      JWT_SECRET: 7f5e11d55e957988b00ce002418680af384219ef98c50d08cbbbdd541978450c
      AUTH_SIGNING_KEY: 484f921b39c383e6b3e0cc5a7cef3c2cec3d7c8d474ab5102891dc4c2bf63a68
      AUTH_PROVIDER: header
      AUTH_HEADER_USER_EMAIL: X-User-Email
      RATE_LIMIT_ENABLED: true
      CACHE_ENABLED: false
      METRICS_ENABLED: true
      # OAuth2 / OIDC Configuration (for Keycloak)
      OAUTH2_ENABLED: false
      OAUTH2_PROVIDER_URL: http://keycloak:8080/realms/kms
      OAUTH2_CLIENT_ID: kms-api
      OAUTH2_CLIENT_SECRET: kms-client-secret
      OAUTH2_REDIRECT_URL: http://localhost:8081/api/oauth2/callback
      # SAML Configuration (for SimpleSAMLphp)
      SAML_ENABLED: false
      SAML_IDP_SSO_URL: http://saml-idp:8080/simplesaml/saml2/idp/SSOService.php
      SAML_IDP_METADATA_URL: http://saml-idp:8080/simplesaml/saml2/idp/metadata.php
      SAML_SP_ENTITY_ID: http://localhost:8081
      SAML_SP_ACS_URL: http://localhost:8081/api/saml/acs
      SAML_SP_SLS_URL: http://localhost:8081/api/saml/sls
    ports:
      - "8080:8080"
      - "9090:9090" # Metrics port
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - kms-network
    volumes:
      - ./migrations:/app/migrations:ro,Z
    restart: unless-stopped

  frontend:
    build:
      context: ./kms-frontend
      dockerfile: Dockerfile
    container_name: kms-frontend
    ports:
      - "3000:80"
    networks:
      - kms-network
    restart: unless-stopped

  # Keycloak OAuth2/OIDC Identity Provider for testing
  keycloak:
    image: quay.io/keycloak/keycloak:25.0.2
    container_name: kms-keycloak
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_DB: dev-file
    ports:
      - "8090:8080"
    networks:
      - kms-network
    command: ["start-dev", "--import-realm"]
    volumes:
      - ./sso-config/keycloak:/opt/keycloak/data/import:Z
    restart: unless-stopped

  # SimpleSAMLphp SAML Identity Provider for testing
  saml-idp:
    image: kristophjunge/test-saml-idp:1.15
    container_name: kms-saml-idp
    environment:
      SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:8081
      SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:8081/api/saml/acs
      SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:8081/api/saml/sls
      SIMPLESAMLPHP_TRUSTED_DOMAINS: '["localhost", "kms-api-service", "kms-nginx"]'
    ports:
      - "8091:8080"
      - "8443:8443"
    networks:
      - kms-network
    restart: unless-stopped

volumes:
  postgres_data:
    driver: local

networks:
  kms-network:
    driver: bridge