# Production override for MCPTesta Docker Compose
# Use with: docker compose -f docker-compose.yml -f docker-compose.prod.yml up

services:
  docs:
    build:
      target: production
      args:
        NODE_ENV: production
    environment:
      NODE_ENV: production
    # Remove development volume mounts
    volumes: []
    
    # Production resource limits
    deploy:
      replicas: 2
      update_config:
        parallelism: 1
        failure_action: rollback
        delay: 10s
        order: start-first
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
      resources:
        limits:
          cpus: '1.0'
          memory: 256m
        reservations:
          cpus: '0.25'
          memory: 128m
    
    # Enhanced security for production
    security_opt:
      - no-new-privileges:true
      - apparmor:docker-default
    
    # Read-only filesystem for production
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=50m
      - /var/cache/nginx:noexec,nosuid,size=10m
      - /var/log/nginx:noexec,nosuid,size=10m
    
    # Production labels
    labels:
      caddy: ${DOCS_DOMAIN:-mcptesta.l.supported.systems}
      caddy.reverse_proxy: "{{upstreams 4321}}"
      caddy.encode: "gzip zstd"
      caddy.header.Cache-Control: "public, max-age=31536000, immutable"
      caddy.header.Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
      caddy.header.X-Frame-Options: "SAMEORIGIN"
      caddy.header.X-Content-Type-Options: "nosniff"
      caddy.header.X-XSS-Protection: "1; mode=block"
      caddy.header.Referrer-Policy: "strict-origin-when-cross-origin"
      # Rate limiting for production
      caddy.rate_limit: "zone docs_zone key {remote_host} events 1000 window 1h"

  # Production monitoring service
  docs-monitor:
    image: prom/node-exporter:latest
    command:
      - '--path.rootfs=/host'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
    volumes:
      - '/:/host:ro,rslave'
    networks:
      - monitoring
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '0.1'
          memory: 64m
    security_opt:
      - no-new-privileges:true
    read_only: true
    
  # Log aggregation for production
  docs-logs:
    image: fluent/fluent-bit:latest
    volumes:
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
      - ./config/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro
    networks:
      - monitoring
    restart: unless-stopped
    profiles:
      - logging
    deploy:
      resources:
        limits:
          cpus: '0.1'
          memory: 128m