version: '3.9'

services:
  # PostgreSQL Database - Production
  postgres:
    image: postgres:15-alpine
    container_name: goa-gel-postgres-prod
    restart: always
    environment:
      POSTGRES_USER: ${DATABASE_USER}
      POSTGRES_PASSWORD: ${DATABASE_PASSWORD}
      POSTGRES_DB: ${DATABASE_NAME}
      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
    ports:
      - "127.0.0.1:5432:5432"
    volumes:
      - postgres_data_prod:/var/lib/postgresql/data
      - ./docker/postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
      - ./docker/postgres/backup.sh:/usr/local/bin/backup.sh:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${DATABASE_USER} -d ${DATABASE_NAME}"]
      interval: 30s
      timeout: 10s
      retries: 5
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-postgres"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "postgres"
    security_opt:
      - no-new-privileges:true

  # Redis Cache - Production
  redis:
    image: redis:7-alpine
    container_name: goa-gel-redis-prod
    restart: always
    command: redis-server --requirepass ${REDIS_PASSWORD} --appendonly yes --loglevel warning
    ports:
      - "127.0.0.1:6379:6379"
    volumes:
      - redis_data_prod:/data
    healthcheck:
      test: ["CMD", "redis-cli", "--raw", "incr", "ping"]
      interval: 30s
      timeout: 10s
      retries: 5
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-redis"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "redis"
    security_opt:
      - no-new-privileges:true

  # MinIO Object Storage - Production
  minio:
    image: minio/minio:latest
    container_name: goa-gel-minio-prod
    restart: always
    environment:
      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY}
      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY}
      MINIO_BROWSER_REDIRECT_URL: https://minio-console.goa-gel.gov.in
    ports:
      - "127.0.0.1:9000:9000"
      - "127.0.0.1:9001:9001"
    volumes:
      - minio_data_prod:/data
    command: server /data --console-address ":9001" --certs-dir /etc/minio/certs
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-minio"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "minio"
    security_opt:
      - no-new-privileges:true

  # Hyperledger Besu Validator Node 1 - Production
  besu-validator-1:
    image: hyperledger/besu:latest
    container_name: goa-gel-besu-validator-1-prod
    restart: always
    command: --config-file=/etc/besu/config.toml
    environment:
      BESU_NODE_KEY_FILE: /etc/besu/node-keys/validator-1/key
      BESU_P2P_HOST: besu-validator-1
      BESU_METRICS_ENABLED: "true"
      BESU_METRICS_HOST: 0.0.0.0
    ports:
      - "127.0.0.1:8545:8545"
      - "127.0.0.1:8546:8546"
      - "30303:30303"
      - "127.0.0.1:9545:9545"
    volumes:
      - ./docker/besu/config.toml:/etc/besu/config.toml:ro
      - ./docker/besu/genesis.json:/etc/besu/genesis.json:ro
      - ./docker/besu/node-keys/validator-1:/etc/besu/node-keys/validator-1:ro
      - besu-validator-1-data-prod:/var/lib/besu
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8545"]
      interval: 30s
      timeout: 10s
      retries: 5
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-besu-validator-1"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "validator-1"
    security_opt:
      - no-new-privileges:true

  # Hyperledger Besu Validator Node 2 - Production
  besu-validator-2:
    image: hyperledger/besu:latest
    container_name: goa-gel-besu-validator-2-prod
    restart: always
    command: --config-file=/etc/besu/config.toml
    environment:
      BESU_NODE_KEY_FILE: /etc/besu/node-keys/validator-2/key
      BESU_P2P_HOST: besu-validator-2
      BESU_METRICS_ENABLED: "true"
      BESU_METRICS_HOST: 0.0.0.0
    ports:
      - "127.0.0.1:8546:8545"
      - "127.0.0.1:8547:8546"
      - "30304:30303"
      - "127.0.0.1:9546:9545"
    volumes:
      - ./docker/besu/config.toml:/etc/besu/config.toml:ro
      - ./docker/besu/genesis.json:/etc/besu/genesis.json:ro
      - ./docker/besu/node-keys/validator-2:/etc/besu/node-keys/validator-2:ro
      - besu-validator-2-data-prod:/var/lib/besu
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8545"]
      interval: 30s
      timeout: 10s
      retries: 5
    depends_on:
      besu-validator-1:
        condition: service_healthy
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-besu-validator-2"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "validator-2"
    security_opt:
      - no-new-privileges:true

  # Hyperledger Besu Validator Node 3 - Production
  besu-validator-3:
    image: hyperledger/besu:latest
    container_name: goa-gel-besu-validator-3-prod
    restart: always
    command: --config-file=/etc/besu/config.toml
    environment:
      BESU_NODE_KEY_FILE: /etc/besu/node-keys/validator-3/key
      BESU_P2P_HOST: besu-validator-3
      BESU_METRICS_ENABLED: "true"
      BESU_METRICS_HOST: 0.0.0.0
    ports:
      - "127.0.0.1:8548:8545"
      - "127.0.0.1:8549:8546"
      - "30305:30303"
      - "127.0.0.1:9547:9545"
    volumes:
      - ./docker/besu/config.toml:/etc/besu/config.toml:ro
      - ./docker/besu/genesis.json:/etc/besu/genesis.json:ro
      - ./docker/besu/node-keys/validator-3:/etc/besu/node-keys/validator-3:ro
      - besu-validator-3-data-prod:/var/lib/besu
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8545"]
      interval: 30s
      timeout: 10s
      retries: 5
    depends_on:
      besu-validator-2:
        condition: service_healthy
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-besu-validator-3"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "validator-3"
    security_opt:
      - no-new-privileges:true

  # Hyperledger Besu Validator Node 4 - Production
  besu-validator-4:
    image: hyperledger/besu:latest
    container_name: goa-gel-besu-validator-4-prod
    restart: always
    command: --config-file=/etc/besu/config.toml
    environment:
      BESU_NODE_KEY_FILE: /etc/besu/node-keys/validator-4/key
      BESU_P2P_HOST: besu-validator-4
      BESU_METRICS_ENABLED: "true"
      BESU_METRICS_HOST: 0.0.0.0
    ports:
      - "127.0.0.1:8550:8545"
      - "127.0.0.1:8551:8546"
      - "30306:30303"
      - "127.0.0.1:9548:9545"
    volumes:
      - ./docker/besu/config.toml:/etc/besu/config.toml:ro
      - ./docker/besu/genesis.json:/etc/besu/genesis.json:ro
      - ./docker/besu/node-keys/validator-4:/etc/besu/node-keys/validator-4:ro
      - besu-validator-4-data-prod:/var/lib/besu
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8545"]
      interval: 30s
      timeout: 10s
      retries: 5
    depends_on:
      besu-validator-3:
        condition: service_healthy
    networks:
      - gel-network
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-besu-validator-4"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "validator-4"
    security_opt:
      - no-new-privileges:true

  # NestJS API Service - Production
  api:
    image: ${DOCKER_REGISTRY:-goa-gel}/api:${VERSION:-latest}
    container_name: goa-gel-api-prod
    restart: always
    environment:
      NODE_ENV: production
      APP_PORT: 3001
      APP_HOST: 0.0.0.0
      DATABASE_HOST: postgres
      DATABASE_PORT: 5432
      DATABASE_NAME: ${DATABASE_NAME}
      DATABASE_USER: ${DATABASE_USER}
      DATABASE_PASSWORD: ${DATABASE_PASSWORD}
      DATABASE_SSL: "true"
      REDIS_HOST: redis
      REDIS_PORT: 6379
      REDIS_PASSWORD: ${REDIS_PASSWORD}
      REDIS_TLS: "true"
      BLOCKCHAIN_RPC_URL: http://besu-validator-1:8545
      BLOCKCHAIN_CHAIN_ID: ${BLOCKCHAIN_CHAIN_ID:-1337}
      BLOCKCHAIN_GAS_PRICE: ${BLOCKCHAIN_GAS_PRICE:-1000000000}
      BLOCKCHAIN_GAS_LIMIT: ${BLOCKCHAIN_GAS_LIMIT:-6000000}
      BLOCKCHAIN_PRIVATE_KEY: ${BLOCKCHAIN_PRIVATE_KEY}
      MINIO_ENDPOINT: minio
      MINIO_PORT: 9000
      MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
      MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
      MINIO_USE_SSL: "true"
      JWT_SECRET: ${JWT_SECRET}
      JWT_EXPIRATION: ${JWT_EXPIRATION:-7d}
      CORS_ORIGIN: ${CORS_ORIGIN}
      LOG_LEVEL: ${LOG_LEVEL:-warn}
      ENABLE_BLOCKCHAIN_VERIFICATION: "true"
      ENABLE_AUDIT_LOGGING: "true"
      ENABLE_RATE_LIMITING: "true"
      SENTRY_DSN: ${SENTRY_DSN}
    ports:
      - "127.0.0.1:3001:3001"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
      minio:
        condition: service_healthy
      besu-validator-1:
        condition: service_healthy
    networks:
      - gel-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3001/health"]
      interval: 30s
      timeout: 10s
      start-period: 60s
      retries: 5
    logging:
      driver: "awslogs"
      options:
        awslogs-group: "goa-gel-api"
        awslogs-region: ${AWS_REGION:-ap-south-1}
        awslogs-stream: "api"
    security_opt:
      - no-new-privileges:true
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 1G
        reservations:
          cpus: '1'
          memory: 512M

networks:
  gel-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16

volumes:
  postgres_data_prod:
    driver: local
  redis_data_prod:
    driver: local
  minio_data_prod:
    driver: local
  besu-validator-1-data-prod:
    driver: local
  besu-validator-2-data-prod:
    driver: local
  besu-validator-3-data-prod:
    driver: local
  besu-validator-4-data-prod:
    driver: local