services:
  postgres:
    image: postgres:17-alpine
    restart: unless-stopped
    environment:
      POSTGRES_USER: admin
      POSTGRES_PASSWORD: admin
      POSTGRES_DB: admin_arikigame
    volumes:
      - pgdata:/var/lib/postgresql/data
      - ./db/schema.sql:/docker-entrypoint-initdb.d/01-schema.sql:ro
    ports:
      - "127.0.0.1:5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U admin -d admin_arikigame"]
      interval: 5s
      timeout: 3s
      retries: 5

  app:
    build: .
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      DATABASE_URL: postgresql://admin:admin@postgres:5432/admin_arikigame
      # Gitea HTTPS on host :443 (built-in ACME). Override for local dev if needed.
      GITEA_URL: ${GITEA_URL:-https://git.arikigame.com}
      GITEA_SERVICE_TOKEN: ${GITEA_SERVICE_TOKEN:-}
      GITEA_TOKEN: ${GITEA_TOKEN:-}
      TS_API_KEY: ${TS_API_KEY:-}
      TS_TAILNET: ${TS_TAILNET:-}
      GITHUB_TOKEN: ${GITHUB_TOKEN:-}
      MCP_STATIC_TOKEN: ${MCP_STATIC_TOKEN:-}
      CRON_SECRET: ${CRON_SECRET:-}
      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
      BOOTSTRAP_ADMIN_EMAIL: ${BOOTSTRAP_ADMIN_EMAIL:-}
      ALLOW_DEV_AUTH: "false"
      # Host runs scripts/tailscale-whois-proxy.mjs — see docs/TAILSCALE-PRODUCTION.md
      TAILSCALE_WHOIS_PROXY_URL: ${TAILSCALE_WHOIS_PROXY_URL:-}
      # Well away from :3000/:3001 dev defaults and from git (:443 / :22).
      PORT: "8088"
      HOSTNAME: "0.0.0.0"
    # Bind on all interfaces so tailnet clients can reach the portal (whois proxy auth).
    # Primary HTTPS UX: Tailscale MagicDNS Serve → https://<machine>.tailnet.ts.net/
    ports:
      - "8088:8088"

volumes:
  pgdata: