# AegisGitea MCP - Docker Compose Configuration
# Usage: docker-compose up -d

version: '3.8'

services:
  aegis-mcp:
    build:
      context: .
      dockerfile: docker/Dockerfile
    container_name: aegis-gitea-mcp
    restart: unless-stopped
    
    env_file:
      - .env
    
    ports:
      - "${MCP_PORT:-8080}:8080"
    
    volumes:
      - aegis-mcp-logs:/var/log/aegis-mcp
    
    networks:
      - aegis-network
      - traefik  # Connect to Traefik network (if using Traefik)
    
    security_opt:
      - no-new-privileges:true
    
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M
    
    healthcheck:
      test: ["CMD", "python", "-c", "import httpx; httpx.get('http://localhost:8080/health')"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    
    # Traefik labels for automatic HTTPS and routing
    labels:
      - "traefik.enable=true"
      
      # Router configuration
      - "traefik.http.routers.aegis-mcp.rule=Host(`${MCP_DOMAIN:-mcp.example.com}`)"
      - "traefik.http.routers.aegis-mcp.entrypoints=websecure"
      - "traefik.http.routers.aegis-mcp.tls=true"
      - "traefik.http.routers.aegis-mcp.tls.certresolver=letsencrypt"
      
      # Service configuration
      - "traefik.http.services.aegis-mcp.loadbalancer.server.port=8080"
      
      # Rate limiting middleware (60 req/min per IP)
      - "traefik.http.middlewares.aegis-ratelimit.ratelimit.average=60"
      - "traefik.http.middlewares.aegis-ratelimit.ratelimit.period=1m"
      - "traefik.http.middlewares.aegis-ratelimit.ratelimit.burst=10"
      
      # Security headers middleware
      - "traefik.http.middlewares.aegis-security.headers.sslredirect=true"
      - "traefik.http.middlewares.aegis-security.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.aegis-security.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.aegis-security.headers.stsPreload=true"
      - "traefik.http.middlewares.aegis-security.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.aegis-security.headers.browserXssFilter=true"
      - "traefik.http.middlewares.aegis-security.headers.forceSTSHeader=true"
      
      # Apply middlewares to router
      - "traefik.http.routers.aegis-mcp.middlewares=aegis-ratelimit@docker,aegis-security@docker"

volumes:
  aegis-mcp-logs:
    driver: local

networks:
  aegis-network:
    driver: bridge
  
  # External Traefik network (create with: docker network create traefik)
  # Comment out if not using Traefik
  traefik:
    external: true