# Production compose file — no embedded Postgres.
# Set ConnectionStrings__OrchestratorDb in your .env (or via docker secret/env injection)
# to point at your dedicated PostgreSQL instance before deploying.
#
# Deploy:
#   COMPOSE_FILE=docker-compose.prod.yml SWARM_HOST=root@<host> ./deploy.sh

networks:
  otssigns_net:
    driver: overlay
    attachable: true

services:
  app:
    image: ${IMAGE_NAME:-ots-orchestrator}:${IMAGE_TAG:-latest}
    build:
      context: .
      dockerfile: Dockerfile
    restart: unless-stopped
    ports:
      - target: 8080
        published: 8080
        mode: ingress
    networks:
      - otssigns_net
    environment:
      ASPNETCORE_ENVIRONMENT: Production
      # ── Database — set this to your external PG instance ──────────────────
      ConnectionStrings__OrchestratorDb: "${ORCHESTRATOR_DB_CONNECTION_STRING}"
      # ── JWT ────────────────────────────────────────────────────────────────
      Jwt__Key: "${JWT_KEY}"
      Jwt__Issuer: "OTSSignsOrchestrator"
      Jwt__Audience: "OTSSignsOrchestrator"
      # All other integration settings (Bitwarden, Stripe, Authentik, SendGrid)
      # are managed via the admin UI (Settings page). On first run, env vars
      # below are seeded into the database and then ignored.
      # Uncomment any line to seed on first deploy, then remove it.
      # Bitwarden__AccessToken: "${BITWARDEN_ACCESS_TOKEN}"
      # Bitwarden__OrganizationId: "${BITWARDEN_ORG_ID}"
      # Bitwarden__ProjectId: "${BITWARDEN_PROJECT_ID}"
      # Stripe__SecretKey: "${STRIPE_SECRET_KEY}"
      # Stripe__WebhookSecret: "${STRIPE_WEBHOOK_SECRET}"
      # Authentik__BaseUrl: "${AUTHENTIK_BASE_URL}"
      # Authentik__ApiToken: "${AUTHENTIK_API_TOKEN}"
      # Authentik__OtsSigningKpId: "${AUTHENTIK_OTS_SIGNING_KP_ID}"
      # Email__SendGridApiKey: "${SENDGRID_API_KEY}"
    volumes:
      - dataprotection_keys:/app/dataprotection-keys

volumes:
  dataprotection_keys: