services:
  # ──────────────────────────────────────────────────────────────────
  # MongoDB – Datenbank fuer Komodo Core
  # Netz: komodo_net (internal: true) – niemals frontend_net
  # ──────────────────────────────────────────────────────────────────
  komodo-mongo:
    image: mongo:7
    container_name: komodo-mongo
    restart: unless-stopped
    command: --quiet
    volumes:
      - /mnt/user/appdata/komodo/mongo:/data/db
      - /mnt/user/appdata/secrets/komodo_mongo_password.txt:/run/secrets/mongo_password:ro
    networks:
      - komodo_net
    environment:
      - MONGO_INITDB_ROOT_USERNAME=komodo
      - MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_password
    healthcheck:
      test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    security_opt:
      - no-new-privileges:true

  # ──────────────────────────────────────────────────────────────────
  # Komodo Core – Management-UI (Portainer-Ersatz)
  # Netz: frontend_net (Traefik) + komodo_net (MongoDB/Periphery)
  # Admin-Dienst: dashboard-auth@file + secure-headers@file Pflicht
  # ──────────────────────────────────────────────────────────────────
  komodo-core:
    image: ghcr.io/mbecker20/komodo:latest@sha256:d0a201fdf7113b7a47fe925e0a8a9c337f632980a27f151729030f05e99e22c0
    container_name: komodo-core
    restart: unless-stopped
    depends_on:
      komodo-mongo:
        condition: service_healthy
    volumes:
      - /mnt/user/appdata/komodo/core:/repo-cache
    networks:
      - komodo_net
      - frontend_net
    extra_hosts:
      - "git.kaleschke.info:172.30.0.17"
    environment:
      - TZ=Europe/Berlin
      - KOMODO_HOST=https://komodo.kaleschke.info
      - KOMODO_TITLE=Kallilabcore
      - KOMODO_SECRET_KEY=${KOMODO_SECRET_KEY}
      - KOMODO_WEBHOOK_SECRET=${KOMODO_SECRET_KEY}
      - KOMODO_MONGO_ADDRESS=komodo-mongo:27017
      - KOMODO_MONGO_USERNAME=komodo
      - KOMODO_MONGO_PASSWORD=${KOMODO_MONGO_PASSWORD}
      - KOMODO_LOG_LEVEL=info
      - KOMODO_LOCAL_AUTH=true
      - KOMODO_JWT_SECRET=${KOMODO_JWT_SECRET}
    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.komodo.rule=Host(`komodo.kaleschke.info`)
      - traefik.http.routers.komodo.entrypoints=websecure
      - traefik.http.routers.komodo.tls=true
      - traefik.http.routers.komodo.tls.certresolver=le
      - traefik.http.services.komodo.loadbalancer.server.port=9120
    
    security_opt:
      - no-new-privileges:true

  # ──────────────────────────────────────────────────────────────────
  # Komodo Periphery – Docker-Agent auf Kallilabcore
  # Netz: komodo_net (internal) – kein Traefik noetig
  # Ausnahme: Docker-Socket ohne :ro (Periphery startet/stoppt Container)
  # ──────────────────────────────────────────────────────────────────
  komodo-periphery:
    image: ghcr.io/mbecker20/periphery:latest@sha256:087babb8a6090882846750f72c48323007cbf9a548bd930a19a0c09e8220d95c
    container_name: komodo-periphery
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/user/appdata/komodo/periphery:/etc/komodo
    networks:
      - komodo_net
    environment:
      - PERIPHERY_ROOT_DIRECTORY=/mnt/user/services
      - PERIPHERY_PASSKEY=${KOMODO_PERIPHERY_PASSKEY}
      - TZ=Europe/Berlin
    extra_hosts:
      - "git.kaleschke.info:192.168.178.58"
    security_opt:
      - no-new-privileges:true

networks:
  frontend_net:
    external: true
  komodo_net:
    name: komodo_net
    internal: true
    driver: bridge