services:
  app:
    image: git.local-it.org/local-it/mitgliederverwaltung:latest
    container_name: mv-prod-app
    ports:
      - "4001:4001"
    environment:
      # Database configuration using separate variables
      # Use Docker service name for internal networking
      DATABASE_HOST: "db-prod"
      DATABASE_PORT: "5432"
      DATABASE_USER: "postgres"
      DATABASE_NAME: "mv_prod"
      DATABASE_PASSWORD_FILE: "/run/secrets/db_password"
      # Phoenix secrets via Docker secrets
      SECRET_KEY_BASE_FILE: "/run/secrets/secret_key_base"
      TOKEN_SIGNING_SECRET_FILE: "/run/secrets/token_signing_secret"
      PHX_HOST: "${PHX_HOST:-localhost}"
      PORT: "4001"
      PHX_SERVER: "true"
      # Rauthy OIDC config - use host.docker.internal to reach host services
      OIDC_CLIENT_ID: "mv"
      OIDC_BASE_URL: "http://host.docker.internal:8080/auth/v1"
      OIDC_CLIENT_SECRET_FILE: "/run/secrets/oidc_client_secret"
      OIDC_REDIRECT_URI: "http://localhost:4001/auth/user/rauthy/callback"
    secrets:
      - db_password
      - secret_key_base
      - token_signing_secret
      - oidc_client_secret
    depends_on:
      - db-prod
    restart: unless-stopped

  db-prod:
    image: postgres:16-alpine
    container_name: mv-prod-db
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
      POSTGRES_DB: mv_prod
    secrets:
      - db_password
    volumes:
      - postgres_data_prod:/var/lib/postgresql/data
    ports:
      - "5001:5432"
    restart: unless-stopped

secrets:
  db_password:
    file: ./secrets/db_password.txt
  secret_key_base:
    file: ./secrets/secret_key_base.txt
  token_signing_secret:
    file: ./secrets/token_signing_secret.txt
  oidc_client_secret:
    file: ./secrets/oidc_client_secret.txt

volumes:
  postgres_data_prod: