version: '3.8'

services:
  barycenter:
    build:
      context: .
      dockerfile: Dockerfile
    image: barycenter:latest
    container_name: barycenter
    restart: unless-stopped

    ports:
      - "8080:8080"

    environment:
      # Override config via environment variables
      # Use CRABIDP__ prefix with double underscores for nested keys
      - RUST_LOG=info
      # Example: CRABIDP__SERVER__PORT=8080
      # Example: CRABIDP__SERVER__PUBLIC_BASE_URL=https://idp.example.com
      # Example: CRABIDP__DATABASE__URL=sqlite:///app/data/crabidp.db?mode=rwc

    volumes:
      # Persist database and keys
      - barycenter-data:/app/data
      # Optional: override config file
      # - ./config.toml:/app/config/config.toml:ro

    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/.well-known/openid-configuration"]
      interval: 30s
      timeout: 3s
      retries: 3
      start_period: 10s

    # Security options
    security_opt:
      - no-new-privileges:true

    # Read-only root filesystem (except data volume)
    read_only: false

    # Drop all capabilities and add only required ones
    cap_drop:
      - ALL

    # Resource limits
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M

volumes:
  barycenter-data:
    driver: local