services:
  registry:
    image: registry:2
    restart: unless-stopped
    ports:
      - "5001:5000"
    volumes:
      - registry_data:/var/lib/registry
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider http://localhost:5000/v2/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 3

  postgres:
    image: postgres:14
    environment:
      POSTGRES_USER: prefect
      POSTGRES_PASSWORD: prefect
      POSTGRES_DB: prefect
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U prefect"]
      interval: 5s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7
    volumes:
      - redis_data:/data
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping"]
      interval: 5s
      timeout: 5s
      retries: 5

  prefect-server:
    image: prefecthq/prefect:3-latest
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    environment:
      PREFECT_API_DATABASE_CONNECTION_URL: postgresql+asyncpg://prefect:prefect@postgres:5432/prefect
      PREFECT_SERVER_API_HOST: 0.0.0.0
      PREFECT_API_URL: http://localhost:4200/api
      PREFECT_MESSAGING_BROKER: prefect_redis.messaging
      PREFECT_MESSAGING_CACHE: prefect_redis.messaging
      PREFECT_REDIS_MESSAGING_HOST: redis
      PREFECT_REDIS_MESSAGING_PORT: 6379
      PREFECT_REDIS_MESSAGING_DB: 0
      PREFECT_LOCAL_STORAGE_PATH: /prefect-storage
      PREFECT_RESULTS_PERSIST_BY_DEFAULT: "true"
    command: >
      sh -c "
        mkdir -p /prefect-storage &&
        chmod 755 /prefect-storage &&
        prefect server start --no-services
      "
    ports:
      - "4200:4200"
    volumes:
      - prefect_storage:/prefect-storage

  prefect-services:
    image: prefecthq/prefect:3-latest
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    environment:
      PREFECT_API_DATABASE_CONNECTION_URL: postgresql+asyncpg://prefect:prefect@postgres:5432/prefect
      PREFECT_MESSAGING_BROKER: prefect_redis.messaging
      PREFECT_MESSAGING_CACHE: prefect_redis.messaging
      PREFECT_REDIS_MESSAGING_HOST: redis
      PREFECT_REDIS_MESSAGING_PORT: 6379
      PREFECT_REDIS_MESSAGING_DB: 0
      PREFECT_LOCAL_STORAGE_PATH: /prefect-storage
      PREFECT_RESULTS_PERSIST_BY_DEFAULT: "true"
    command: >
      sh -c "
        mkdir -p /prefect-storage &&
        chmod 755 /prefect-storage &&
        prefect server services start
      "
    volumes:
      - prefect_storage:/prefect-storage

  docker-proxy:
    image: tecnativa/docker-socket-proxy
    environment:
      # Enable permissions needed for Prefect worker container creation and management
      CONTAINERS: 1
      IMAGES: 1
      BUILD: 1
      VOLUMES: 1
      NETWORKS: 1
      SERVICES: 1      # Required for some container operations
      TASKS: 1         # Required for container management
      NODES: 1         # Required for container scheduling
      GET: 1
      POST: 1
      PUT: 1
      DELETE: 1
      HEAD: 1
      INFO: 1
      VERSION: 1
      PING: 1
      EVENTS: 1
      DISTRIBUTION: 1
      AUTH: 1
      # Still block the most dangerous operations
      SYSTEM: 0
      SWARM: 0
      EXEC: 0        # Keep container exec blocked for security
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "2375"
    networks:
      - default

  prefect-worker:
    image: prefecthq/prefect:3-latest
    depends_on:
      prefect-server:
        condition: service_started
      docker-proxy:
        condition: service_started
      registry:
        condition: service_healthy
    environment:
      PREFECT_API_URL: http://prefect-server:4200/api
      PREFECT_LOCAL_STORAGE_PATH: /prefect-storage
      PREFECT_RESULTS_PERSIST_BY_DEFAULT: "true"
      DOCKER_HOST: tcp://docker-proxy:2375
      DOCKER_BUILDKIT: 1  # Enable BuildKit for better performance
      DOCKER_CONFIG: /tmp/docker
      # Registry URLs (set REGISTRY_HOST in your environment or .env)
      # - macOS/Windows Docker Desktop: REGISTRY_HOST=host.docker.internal
      # - Linux: REGISTRY_HOST=localhost (default)
      FUZZFORGE_REGISTRY_PUSH_URL: "${REGISTRY_HOST:-localhost}:5001"
      FUZZFORGE_REGISTRY_PULL_URL: "${REGISTRY_HOST:-localhost}:5001"
    command: >
      sh -c "
        mkdir -p /tmp/docker &&
        mkdir -p /prefect-storage &&
        chmod 755 /prefect-storage &&
        echo '{\"insecure-registries\": [\"registry:5000\", \"localhost:5001\", \"host.docker.internal:5001\"]}' > /tmp/docker/config.json &&
        pip install 'prefect[docker]' &&
        echo 'Waiting for backend to create work pool...' &&
        sleep 15 &&
        prefect worker start --pool docker-pool --type docker
      "
    volumes:
      - prefect_storage:/prefect-storage  # Access to shared storage for results
      - toolbox_code:/opt/prefect/toolbox:ro  # Access to toolbox code for building
    networks:
      - default
    extra_hosts:
      - "host.docker.internal:host-gateway"

  fuzzforge-backend:
    build:
      context: ./backend
      dockerfile: Dockerfile
    depends_on:
      prefect-server:
        condition: service_started
      docker-proxy:
        condition: service_started
      registry:
        condition: service_healthy
    environment:
      PREFECT_API_URL: http://prefect-server:4200/api
      PREFECT_LOCAL_STORAGE_PATH: /prefect-storage
      PREFECT_RESULTS_PERSIST_BY_DEFAULT: "true"
      DOCKER_HOST: tcp://docker-proxy:2375
      DOCKER_BUILDKIT: 1
      DOCKER_CONFIG: /tmp/docker
      DOCKER_TLS_VERIFY: ""
      DOCKER_REGISTRY_INSECURE: "registry:5000,localhost:5001,host.docker.internal:5001"
      # Registry URLs (set REGISTRY_HOST in your environment or .env)
      # - macOS/Windows Docker Desktop: REGISTRY_HOST=host.docker.internal
      # - Linux: REGISTRY_HOST=localhost (default)
      FUZZFORGE_REGISTRY_PUSH_URL: "${REGISTRY_HOST:-localhost}:5001"
      FUZZFORGE_REGISTRY_PULL_URL: "${REGISTRY_HOST:-localhost}:5001"
    ports:
      - "8000:8000"
      - "8010:8010"
    volumes:
      - prefect_storage:/prefect-storage
      - ./backend/toolbox:/app/toolbox:ro  # Direct host mount (read-only) for live updates
      - toolbox_code:/opt/prefect/toolbox  # Share toolbox code with workers
      - ./test_projects:/app/test_projects:ro  # Test projects for workflow testing
    networks:
      - default
    extra_hosts:
      - "host.docker.internal:host-gateway"
    # Sync toolbox code to shared volume and start server with live reload
    command: >
      sh -c "
        mkdir -p /opt/prefect/toolbox &&
        mkdir -p /prefect-storage &&
        mkdir -p /tmp/docker &&
        chmod 755 /prefect-storage &&
        echo '{\"insecure-registries\": [\"registry:5000\", \"localhost:5001\", \"host.docker.internal:5001\"]}' > /tmp/docker/config.json &&
        cp -r /app/toolbox/* /opt/prefect/toolbox/ 2>/dev/null || true &&
        (while true; do
          rsync -av --delete /app/toolbox/ /opt/prefect/toolbox/ > /dev/null 2>&1 || true
          sleep 10
        done) &
        uv run uvicorn src.main:app --host 0.0.0.0 --port 8000 --reload
      "

volumes:
  postgres_data:
    name: fuzzforge_postgres_data
  redis_data:
    name: fuzzforge_redis_data
  prefect_storage:
    name: fuzzforge_prefect_storage
  toolbox_code:
    name: fuzzforge_toolbox_code
  registry_data:
    name: fuzzforge_registry_data

networks:
  default:
    name: fuzzforge_default