services:
  db:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
      interval: 5s
      timeout: 5s
      retries: 10
    networks:
      - internal

  backend:
    image: ${REGISTRY}/saas-imobiliaria-backend:${IMAGE_TAG:-latest}
    restart: unless-stopped
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
      SECRET_KEY: ${SECRET_KEY}
      JWT_SECRET_KEY: ${JWT_SECRET_KEY}
      FLASK_ENV: production
      FLASK_APP: app
      CORS_ORIGINS: https://${DOMAIN}
      IMAGE_TAG: ${IMAGE_TAG:-latest}
    depends_on:
      db:
        condition: service_healthy
    networks:
      - internal
      - traefik-public
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
      # Router
      - "traefik.http.routers.imob-api.rule=Host(`${DOMAIN}`) && PathPrefix(`/api`)"
      - "traefik.http.routers.imob-api.entrypoints=websecure"
      - "traefik.http.routers.imob-api.tls=true"
      - "traefik.http.routers.imob-api.tls.certresolver=letsencrypt"
      # Service
      - "traefik.http.services.imob-api.loadbalancer.server.port=5000"
      # Strip /api prefix before forwarding to Flask
      - "traefik.http.middlewares.imob-api-strip.stripprefix.prefixes=/api"
      - "traefik.http.routers.imob-api.middlewares=imob-api-strip"

  frontend:
    image: ${REGISTRY}/saas-imobiliaria-frontend:${IMAGE_TAG:-latest}
    restart: unless-stopped
    depends_on:
      - backend
    networks:
      - internal
      - traefik-public
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
      # Router
      - "traefik.http.routers.imob-frontend.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.imob-frontend.entrypoints=websecure"
      - "traefik.http.routers.imob-frontend.tls=true"
      - "traefik.http.routers.imob-frontend.tls.certresolver=letsencrypt"
      # Redirect HTTP → HTTPS
      - "traefik.http.routers.imob-frontend-http.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.imob-frontend-http.entrypoints=web"
      - "traefik.http.routers.imob-frontend-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
      # Service
      - "traefik.http.services.imob-frontend.loadbalancer.server.port=80"

networks:
  internal:
    driver: bridge
  traefik-public:
    external: true

volumes:
  postgres_data: