services:
  tinyforge:
    # Default: build from source so a fresh clone works out of the box.
    build: .
    # Image name doubles as the Gitea registry tag. To DEPLOY the pre-built
    # image instead of building (e.g. Portainer pulling on a webhook), comment
    # out `build:` above — compose will then pull this tag. `:latest` is pushed
    # only for stable (non pre-release) releases, and the registry may require
    # `docker login git.dolgolyov-family.by` first if the package is private.
    image: git.dolgolyov-family.by/alexei.dolgolyov/tiny-forge:latest
    container_name: tinyforge
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      # Mount Docker socket for container management.
      - /var/run/docker.sock:/var/run/docker.sock
      # Persistent data (SQLite database).
      - tinyforge-data:/app/data
      # Optional seed config (read on first launch only).
      - ./tinyforge.yaml:/app/tinyforge.yaml:ro
    environment:
      # Required: protects all credentials stored in the database.
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:?Set ENCRYPTION_KEY in .env}
      # Required on first launch: password for the default admin user.
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:?Set ADMIN_PASSWORD in .env}
      # Optional: override seed file location.
      - SEED_FILE=/app/tinyforge.yaml
      # Optional: override data directory.
      - DATA_DIR=/app/data
      # Optional: override listen address.
      - LISTEN_ADDR=:8080
      # Optional: override NPM URL (otherwise uses value from settings).
      # - NPM_URL=http://npm:81
      # Optional: override polling interval.
      # - POLLING_INTERVAL=5m
    networks:
      - staging-net
    healthcheck:
      # /readyz is the public readiness probe (pings the DB, rate-limited).
      # The previous target (/api/auth/login) is POST-only, so a GET/spider
      # request returned 405 and the container was always reported unhealthy.
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/readyz"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

volumes:
  tinyforge-data:
    driver: local

# NOTE: The staging-net network must exist before starting.
# Create it with: docker network create staging-net
networks:
  staging-net:
    external: true