# mcvsphere with OAuth - Standalone Mode
# For users who already have an OIDC provider (Authentik, Keycloak, Auth0, Okta, etc.)
#
# Usage:
#   1. Copy .env.oauth.example to .env
#   2. Configure your OIDC provider settings
#   3. docker compose -f docker-compose.oauth-standalone.yml up -d
#
# Requires:
#   - External OIDC provider with OAuth 2.1 support
#   - Caddy network (caddy-docker-proxy) for HTTPS termination
#
# For full Authentik deployment, use docker-compose.oauth.yml instead

services:
  mcvsphere:
    build:
      context: .
      dockerfile: Dockerfile
    image: mcvsphere:${MCVSPHERE_VERSION:-latest}
    container_name: mcvsphere
    restart: unless-stopped
    env_file:
      - .env
    environment:
      # Transport - streamable-http required for OAuth
      MCP_TRANSPORT: streamable-http
      MCP_HOST: 0.0.0.0
      MCP_PORT: 8080
      # OAuth - set in .env file
      OAUTH_ENABLED: ${OAUTH_ENABLED:-true}
    volumes:
      - ./logs:/app/logs
    networks:
      - caddy
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8080/.well-known/oauth-authorization-server')"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    labels:
      # Caddy reverse proxy - configure domain in .env
      caddy: ${MCP_DOMAIN:-mcp.localhost}
      caddy.reverse_proxy: "{{upstreams 8080}}"
      # TLS - use 'internal' for local dev, remove for production (auto HTTPS)
      caddy.tls: ${MCP_TLS_MODE:-internal}
      # WebSocket/streaming support
      caddy.reverse_proxy.flush_interval: "-1"
      caddy.reverse_proxy.transport: http
      caddy.reverse_proxy.transport.read_timeout: "0"
      caddy.reverse_proxy.transport.write_timeout: "0"
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
        reservations:
          memory: 256M
          cpus: '0.25'

networks:
  caddy:
    external: true