services:

  # ── Portal (main dashboard & SSO) ────────────────────────────────────────────
  portal:
    build: ./portal
    container_name: edp-portal
    expose:
      - "5001"
    volumes:
      - portal-data:/app/data
    environment:
      - FLASK_ENV=production
      - PORT=5001
      - SECRET_KEY=${PORTAL_SECRET_KEY:-change-this-portal-secret-in-production}
      - PORTAL_JWT_SECRET=${PORTAL_JWT_SECRET:-change-this-jwt-secret-in-production}
      - DATABASE_URL=sqlite:////app/data/portal.db
      - ADMIN_USERNAME=${ADMIN_USERNAME:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin123}
      - ADMIN_EMAIL=${ADMIN_EMAIL:-admin@localhost}
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5001/health').read()"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - edp-network

  # ── DigiServer v2 ─────────────────────────────────────────────────────────────
  digiserver-app:
    build: ./digiserver-v2
    container_name: edp-digiserver
    expose:
      - "5000"
    volumes:
      - ./digiserver-v2/data/instance:/app/instance
      - ./digiserver-v2/data/uploads:/app/app/static/uploads
    environment:
      - FLASK_ENV=production
      - SECRET_KEY=${DIGISERVER_SECRET_KEY:-change-digiserver-secret}
      - ADMIN_USERNAME=${ADMIN_USERNAME:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin123}
      - PORTAL_JWT_SECRET=${PORTAL_JWT_SECRET:-change-this-jwt-secret-in-production}
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "sh", "-c", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:5000/', timeout=5)\" || true"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
      - edp-network

  # ── IT Asset Management ───────────────────────────────────────────────────────
  itassets-app:
    build: ./IT_asset_management
    container_name: edp-itassets
    expose:
      - "5000"
    volumes:
      - itassets-data:/app/data
      - itassets-uploads:/app/uploads
      - itassets-pdfs:/app/pdfs
      - itassets-docs:/app/doc_templates
      - itassets-docx:/app/docx_output
    environment:
      - FLASK_ENV=production
      - PORT=5000
      - SECRET_KEY=${ITASSETS_SECRET_KEY:-change-itassets-secret}
      - SQLALCHEMY_DATABASE_URI=sqlite:////app/data/itassets.db
      - PORTAL_JWT_SECRET=${PORTAL_JWT_SECRET:-change-this-jwt-secret-in-production}
      - FLASK_APP=run.py
    command: >
      sh -c "flask db upgrade && gunicorn -b 0.0.0.0:5000 -w 4 --timeout 120 run:app"
    restart: unless-stopped
    networks:
      - edp-network

  # ── Server Monitor (Raspberry Pi monitoring + Ansible) ────────────────────────
  srvmonitor-app:
    build: ./Server_Monitorizare_v2
    container_name: edp-srvmonitor
    expose:
      - "5000"
    volumes:
      - ./Server_Monitorizare_v2/data:/app/data
      - ./Server_Monitorizare_v2/logs:/app/logs
      - ./Server_Monitorizare_v2/ansible/inventory:/app/ansible/inventory
      - ./Server_Monitorizare_v2/ansible/ssh_keys:/app/ansible/ssh_keys
    environment:
      - FLASK_ENV=production
      - PORT=5000
      - PORTAL_JWT_SECRET=${PORTAL_JWT_SECRET:-change-this-jwt-secret-in-production}
    restart: unless-stopped
    networks:
      - edp-network

  # ── NetworkView Backend (Node/Express + SQLite) ───────────────────────────────
  networkview-backend:
    build:
      context: ./NetworkView/backend
      dockerfile: Dockerfile
    container_name: edp-networkview-backend
    expose:
      - "3001"
    volumes:
      - networkview-data:/data
    environment:
      - PORT=3001
      - PORTAL_JWT_SECRET=${PORTAL_JWT_SECRET:-change-this-jwt-secret-in-production}
      - NODE_ENV=production
    restart: unless-stopped
    networks:
      - edp-network

  # ── NetworkView Frontend (React/Vite SPA served by nginx) ────────────────────
  networkview-frontend:
    build:
      context: ./NetworkView/frontend
      dockerfile: Dockerfile
    container_name: edp-networkview-frontend
    expose:
      - "80"
    restart: unless-stopped
    networks:
      - edp-network

  # ── Umbrella Nginx Reverse Proxy ──────────────────────────────────────────────
  nginx:
    image: nginx:alpine
    container_name: edp-nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/ssl:/etc/nginx/ssl:ro
      - ./nginx/logs:/var/log/nginx
    depends_on:
      - portal
      - digiserver-app
      - itassets-app
      - networkview-backend
      - networkview-frontend
      - srvmonitor-app
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:80/health"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - edp-network

volumes:
  portal-data:
  itassets-data:
  itassets-uploads:
  itassets-pdfs:
  itassets-docs:
  itassets-docx:
  networkview-data:

networks:
  edp-network:
    driver: bridge