# AegisGitea MCP - Docker Compose Configuration
# Usage: docker-compose up -d
services:
    aegis-mcp:
        build:
            context: .
            dockerfile: docker/Dockerfile
        container_name: aegis-gitea-mcp
        restart: unless-stopped

        env_file:
            - .env

        # ports:
        #     - "${MCP_PORT:-8080}:8080"

        volumes:
            - aegis-mcp-logs:/var/log/aegis-mcp

        networks:
            - aegis-network
            - proxy # Connect to Traefik network (if using Traefik)

        security_opt:
            - no-new-privileges:true

        deploy:
            resources:
                limits:
                    cpus: "1.0"
                    memory: 512M
                reservations:
                    cpus: "0.25"
                    memory: 128M

        healthcheck:
            test:
                [
                    "CMD",
                    "python",
                    "-c",
                    "import httpx; httpx.get('http://localhost:8080/health')",
                ]
            interval: 30s
            timeout: 10s
            retries: 3
            start_period: 10s

        # Traefik labels for automatic HTTPS and routing
        # labels:
        #   - "traefik.enable=true"

        #   # Router configuration
        #   - "traefik.http.routers.aegis-mcp.rule=Host(`${MCP_DOMAIN:-mcp.example.com}`)"
        #   - "traefik.http.routers.aegis-mcp.entrypoints=websecure"
        #   - "traefik.http.routers.aegis-mcp.tls=true"
        #   - "traefik.http.routers.aegis-mcp.tls.certresolver=letsencrypt"

        #   # Service configuration
        #   - "traefik.http.services.aegis-mcp.loadbalancer.server.port=8080"

        #   # Rate limiting middleware (60 req/min per IP)
        #   - "traefik.http.middlewares.aegis-ratelimit.ratelimit.average=60"
        #   - "traefik.http.middlewares.aegis-ratelimit.ratelimit.period=1m"
        #   - "traefik.http.middlewares.aegis-ratelimit.ratelimit.burst=10"

        #   # Security headers middleware
        #   - "traefik.http.middlewares.aegis-security.headers.sslredirect=true"
        #   - "traefik.http.middlewares.aegis-security.headers.stsSeconds=31536000"
        #   - "traefik.http.middlewares.aegis-security.headers.stsIncludeSubdomains=true"
        #   - "traefik.http.middlewares.aegis-security.headers.stsPreload=true"
        #   - "traefik.http.middlewares.aegis-security.headers.contentTypeNosniff=true"
        #   - "traefik.http.middlewares.aegis-security.headers.browserXssFilter=true"
        #   - "traefik.http.middlewares.aegis-security.headers.forceSTSHeader=true"

        #   # Apply middlewares to router
        #   - "traefik.http.routers.aegis-mcp.middlewares=aegis-ratelimit@docker,aegis-security@docker"

volumes:
    aegis-mcp-logs:
        driver: local

networks:
    aegis-network:
        driver: bridge

    # External Traefik network (create with: docker network create traefik)
    # Comment out if not using Traefik
    proxy:
        external: true