services:
  web-app-launcher:
    build: .
    container_name: web-app-launcher
    restart: unless-stopped
    ports:
      - '${APP_PORT:-3000}:3000'
    environment:
      - DATABASE_URL=file:/app/data/launcher.db
      # JWT_SECRET is REQUIRED. Generate one with: openssl rand -hex 32
      # The container will refuse to start if this is not set or is too weak.
      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET must be set. Generate with: openssl rand -hex 32}
      # INTEGRATION_ENCRYPTION_KEY encrypts stored credentials for integrations
      # (Planka, Authentik, Pi-hole, etc.). MUST differ from JWT_SECRET so that
      # rotating one does not invalidate the other.
      - INTEGRATION_ENCRYPTION_KEY=${INTEGRATION_ENCRYPTION_KEY:?INTEGRATION_ENCRYPTION_KEY must be set. Generate with: openssl rand -hex 32}
      - JWT_EXPIRY=${JWT_EXPIRY:-15m}
      - REFRESH_TOKEN_EXPIRY=${REFRESH_TOKEN_EXPIRY:-7d}
      - GUEST_MODE=${GUEST_MODE:-true}
      - HEALTHCHECK_CRON=${HEALTHCHECK_CRON:-*/5 * * * *}
      - HEALTHCHECK_TIMEOUT_MS=${HEALTHCHECK_TIMEOUT_MS:-5000}
      - NODE_ENV=production
      - APP_PORT=3000
      - APP_HOST=0.0.0.0
      # ORIGIN must match the public URL users visit. When set to https://...
      # session cookies are issued with the Secure flag. Behind a reverse proxy
      # terminating TLS, set this to the public https URL.
      - ORIGIN=${ORIGIN:-http://localhost:${APP_PORT:-3000}}
    volumes:
      - launcher-data:/app/data
    networks:
      - launcher-net
    logging:
      driver: json-file
      options:
        max-size: '10m'
        max-file: '3'
    deploy:
      resources:
        limits:
          memory: 1g
          cpus: '1.0'

volumes:
  launcher-data:

networks:
  launcher-net: