## Default registry is GHCR because the GitHub release workflow publishes:
##   ghcr.io/bigbodycobain/shadowbroker-backend:latest
##   ghcr.io/bigbodycobain/shadowbroker-frontend:latest
##
## GitLab mirror images can still be used by swapping the image lines to:
##   registry.gitlab.com/bigbodycobain/shadowbroker/backend:latest
##   registry.gitlab.com/bigbodycobain/shadowbroker/frontend:latest

services:
  backend:
    image: ghcr.io/bigbodycobain/shadowbroker-backend:latest
    container_name: shadowbroker-backend
    ports:
      - "${BIND:-127.0.0.1}:${BACKEND_PORT:-8000}:8000"
    environment:
      - AIS_API_KEY=${AIS_API_KEY:-}
      - OPENSKY_CLIENT_ID=${OPENSKY_CLIENT_ID:-}
      - OPENSKY_CLIENT_SECRET=${OPENSKY_CLIENT_SECRET:-}
      - LTA_ACCOUNT_KEY=${LTA_ACCOUNT_KEY:-}
      - ADMIN_KEY=${ADMIN_KEY:-}
      - FINNHUB_API_KEY=${FINNHUB_API_KEY:-}
      # Override allowed CORS origins (comma-separated). Auto-detects LAN IPs if empty.
      - CORS_ORIGINS=${CORS_ORIGINS:-}
      # Default public Infonet seed used for pull-only sync by fresh installs.
      - MESH_DEFAULT_SYNC_PEERS=${MESH_DEFAULT_SYNC_PEERS:-https://node.shadowbroker.info}
      # Operator-trusted sync/push peers. Leave empty unless you control the peer secret on both sides.
      - MESH_RELAY_PEERS=${MESH_RELAY_PEERS:-}
      # Shared transport auth for operator peer push. Must be set to a unique secret per deployment.
      - MESH_PEER_PUSH_SECRET=${MESH_PEER_PUSH_SECRET:-}
      # Meshtastic MQTT is opt-in to avoid passive load on the public broker.
      # Set MESH_MQTT_ENABLED=true in .env only when this node should join live MQTT.
      - MESH_MQTT_ENABLED=${MESH_MQTT_ENABLED:-false}
      - MESH_MQTT_BROKER=${MESH_MQTT_BROKER:-mqtt.meshtastic.org}
      - MESH_MQTT_PORT=${MESH_MQTT_PORT:-1883}
      - MESH_MQTT_USER=${MESH_MQTT_USER:-meshdev}
      - MESH_MQTT_PASS=${MESH_MQTT_PASS:-large4cats}
      - MESH_MQTT_PSK=${MESH_MQTT_PSK:-}
      - MESH_MQTT_INCLUDE_DEFAULT_ROOTS=${MESH_MQTT_INCLUDE_DEFAULT_ROOTS:-true}
      - MESH_MQTT_EXTRA_ROOTS=${MESH_MQTT_EXTRA_ROOTS:-}
      - MESH_MQTT_EXTRA_TOPICS=${MESH_MQTT_EXTRA_TOPICS:-}
      - MESHTASTIC_OPERATOR_CALLSIGN=${MESHTASTIC_OPERATOR_CALLSIGN:-}
      # The bundled Docker UI talks to the backend across Docker's private bridge.
      # Treat that bridge as local operator access while ports remain bound to 127.0.0.1 by default.
      - SHADOWBROKER_TRUST_DOCKER_BRIDGE_LOCAL_OPERATOR=${SHADOWBROKER_TRUST_DOCKER_BRIDGE_LOCAL_OPERATOR:-1}
    volumes:
      - backend_data:/app/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/api/health"]
      interval: 15s
      timeout: 10s
      retries: 5
      start_period: 60s
    deploy:
      resources:
        limits:
          memory: ${BACKEND_MEMORY_LIMIT:-4G}
          cpus: '2'

  frontend:
    image: ghcr.io/bigbodycobain/shadowbroker-frontend:latest
    container_name: shadowbroker-frontend
    ports:
      - "${BIND:-127.0.0.1}:3000:3000"
    environment:
      # Points the Next.js server-side proxy at the backend container via Docker networking.
      # Change this if your backend runs on a different host or port.
      - BACKEND_URL=http://backend:8000
    depends_on:
      backend:
        condition: service_healthy
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:3000/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1'

volumes:
  backend_data: