version: '3.8'

services:
  whoosh:
    image: anthonyrawlins/whoosh:council-deployment-v3
    user: "0:0"  # Run as root to access Docker socket across different node configurations
    ports:
      - target: 8080
        published: 8800
        protocol: tcp
        mode: ingress
    environment:
      # Database configuration  
      WHOOSH_DATABASE_DB_HOST: postgres
      WHOOSH_DATABASE_DB_PORT: 5432
      WHOOSH_DATABASE_DB_NAME: whoosh
      WHOOSH_DATABASE_DB_USER: whoosh
      WHOOSH_DATABASE_DB_PASSWORD_FILE: /run/secrets/whoosh_db_password
      WHOOSH_DATABASE_DB_SSL_MODE: disable
      WHOOSH_DATABASE_DB_AUTO_MIGRATE: "true"
      
      # Server configuration
      WHOOSH_SERVER_LISTEN_ADDR: ":8080"
      WHOOSH_SERVER_READ_TIMEOUT: "30s"
      WHOOSH_SERVER_WRITE_TIMEOUT: "30s"
      WHOOSH_SERVER_SHUTDOWN_TIMEOUT: "30s"
      
      # GITEA configuration
      WHOOSH_GITEA_BASE_URL: https://gitea.chorus.services  
      WHOOSH_GITEA_TOKEN_FILE: /run/secrets/gitea_token
      WHOOSH_GITEA_WEBHOOK_TOKEN_FILE: /run/secrets/webhook_token
      WHOOSH_GITEA_WEBHOOK_PATH: /webhooks/gitea
      
      # Auth configuration
      WHOOSH_AUTH_JWT_SECRET_FILE: /run/secrets/jwt_secret
      WHOOSH_AUTH_SERVICE_TOKENS_FILE: /run/secrets/service_tokens
      WHOOSH_AUTH_JWT_EXPIRY: "24h"
      
      # Logging
      WHOOSH_LOGGING_LEVEL: debug
      WHOOSH_LOGGING_ENVIRONMENT: production
      
      # Redis configuration
      WHOOSH_REDIS_ENABLED: "true"
      WHOOSH_REDIS_HOST: redis
      WHOOSH_REDIS_PORT: 6379
      WHOOSH_REDIS_PASSWORD_FILE: /run/secrets/redis_password
      WHOOSH_REDIS_DATABASE: 0
      
      # BACKBEAT configuration - enabled for full integration
      WHOOSH_BACKBEAT_ENABLED: "true"
      WHOOSH_BACKBEAT_NATS_URL: "nats://backbeat-nats:4222"
      
      # Docker integration - enabled for council agent deployment  
      WHOOSH_DOCKER_ENABLED: "true"
    volumes:
      # Docker socket access for council agent deployment
      - /var/run/docker.sock:/var/run/docker.sock:rw
      # Council prompts and configuration
      - /rust/containers/WHOOSH/prompts:/app/prompts:ro
    secrets:
      - whoosh_db_password
      - gitea_token
      - webhook_token
      - jwt_secret
      - service_tokens
      - redis_password
    deploy:
      replicas: 2
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      update_config:
        parallelism: 1
        delay: 10s
        failure_action: rollback
        monitor: 60s
        order: start-first
      # rollback_config:
      #   parallelism: 1
      #   delay: 0s
      #   failure_action: pause
      #   monitor: 60s
      #   order: stop-first
      placement:
        preferences:
          - spread: node.hostname
      resources:
        limits:
          memory: 256M
          cpus: '0.5'
        reservations:
          memory: 128M
          cpus: '0.25'
      labels:
        - traefik.enable=true
        - traefik.http.routers.whoosh.rule=Host(`whoosh.chorus.services`)
        - traefik.http.routers.whoosh.tls=true
        - traefik.http.routers.whoosh.tls.certresolver=letsencryptresolver
        - traefik.http.services.whoosh.loadbalancer.server.port=8080
        - traefik.http.middlewares.whoosh-auth.basicauth.users=admin:$$2y$$10$$example_hash
    networks:
      - tengig
      - whoosh-backend
      - chorus_net  # Connect to CHORUS network for BACKBEAT integration
    healthcheck:
      test: ["CMD", "/app/whoosh", "--health-check"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  postgres:
    image: postgres:15-alpine
    environment:
      POSTGRES_DB: whoosh
      POSTGRES_USER: whoosh
      POSTGRES_PASSWORD_FILE: /run/secrets/whoosh_db_password
      POSTGRES_INITDB_ARGS: --auth-host=scram-sha-256
    secrets:
      - whoosh_db_password
    volumes:
      - whoosh_postgres_data:/var/lib/postgresql/data
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        preferences:
          - spread: node.hostname
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
        reservations:
          memory: 256M
          cpus: '0.5'
    networks:
      - whoosh-backend
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U whoosh"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 30s

  redis:
    image: redis:7-alpine
    command: sh -c 'redis-server --requirepass "$$(cat /run/secrets/redis_password)" --appendonly yes'
    secrets:
      - redis_password
    volumes:
      - whoosh_redis_data:/data
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        preferences:
          - spread: node.hostname
      resources:
        limits:
          memory: 128M
          cpus: '0.25'
        reservations:
          memory: 64M
          cpus: '0.1'
    networks:
      - whoosh-backend
    healthcheck:
      test: ["CMD", "sh", "-c", "redis-cli --no-auth-warning -a $$(cat /run/secrets/redis_password) ping"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

networks:
  tengig:
    external: true
  whoosh-backend:
    driver: overlay
    attachable: false
  chorus_net:
    external: true
    name: CHORUS_chorus_net

volumes:
  whoosh_postgres_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /rust/containers/WHOOSH/postgres
  whoosh_redis_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /rust/containers/WHOOSH/redis

secrets:
  whoosh_db_password:
    external: true
    name: whoosh_db_password
  gitea_token:
    external: true
    name: gitea_token
  webhook_token:
    external: true
    name: whoosh_webhook_token
  jwt_secret:
    external: true
    name: whoosh_jwt_secret
  service_tokens:
    external: true
    name: whoosh_service_tokens
  redis_password:
    external: true
    name: whoosh_redis_password