services:
  db:
    image: postgres:16-alpine
    container_name: wealthysmart-db-prod
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - wealthysmart-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
      interval: 10s
      timeout: 5s
      retries: 5

  backend:
    build:
      context: ./backend
      dockerfile: Dockerfile.prod
    container_name: wealthysmart-backend-prod
    restart: unless-stopped
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
      SECRET_KEY: ${SECRET_KEY}
      ADMIN_USERNAME: ${ADMIN_USERNAME}
      ADMIN_PASSWORD: ${ADMIN_PASSWORD}
      VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY}
      VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY}
      OPENAI_API_KEY: ${OPENAI_API_KEY}
      AGENT_MODEL: ${AGENT_MODEL:-gpt-5.4-mini}
    expose:
      - "8000"
    networks:
      - wealthysmart-network
    depends_on:
      db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/')"]
      interval: 15s
      timeout: 5s
      retries: 3
      start_period: 10s

  frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile
      target: runner
      args:
        NEXT_PUBLIC_VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY}
    container_name: wealthysmart-frontend-prod
    restart: unless-stopped
    environment:
      NODE_ENV: production
      BACKEND_URL: http://wealthysmart-backend-prod:8000
      AGENT_URL: http://wealthysmart-backend-prod:8000/api/v1/agent/agui
      JWT_SECRET: ${SECRET_KEY}
      COOKIE_DOMAIN: wealth.cescalante.dev
      COOKIE_SECURE: "true"
      VIRTUAL_HOST: wealth.cescalante.dev
      VIRTUAL_PORT: "3000"
      LETSENCRYPT_HOST: wealth.cescalante.dev
      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
    expose:
      - "3000"
    networks:
      - wealthysmart-network
      - nginx-prod-network
    depends_on:
      - backend
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:3000/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  wealthysmart-network:
    driver: bridge
    name: wealthysmart-network-prod
  nginx-prod-network:
    external: true

volumes:
  postgres_data:
    name: wealthysmart-postgres-prod-data