services:

  backend:
    build: ./backend
    container_name: orcid-backend
    restart: unless-stopped
    ports:
      - "0.0.0.0:8072:8000"
    env_file:
      - ./backend/.env
    environment:
      DATABASE_URL: postgresql://postgres:postgres@db:5432/orcid_db
      REDIS_URL: redis://redis:6379/0
      # Uncomment for local dev with ngrok (overrides backend/.env value):
      # ORCID_REDIRECT_URI: https://jargon-supreme-palpable.ngrok-free.dev/callback
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_started
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:8000/health"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 15s

  frontend:
    build: ./frontend
    container_name: orcid-frontend
    restart: unless-stopped
    ports:
      - "0.0.0.0:8073:5173"
    depends_on:
      - backend
    env_file:
      - ./frontend/.env
    security_opt:
      - no-new-privileges:true

  db:
    image: postgres:16
    container_name: orcid-postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: orcid_db
    expose:
      - "5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d orcid_db"]
      interval: 2s
      timeout: 3s
      retries: 20
    security_opt:
      - no-new-privileges:true

  redis:
    image: redis:7
    container_name: orcid-redis
    restart: unless-stopped
    command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
    expose:
      - "6379"
    security_opt:
      - no-new-privileges:true

volumes:
  postgres_data: