version: '3.8'

services:
  # MariaDB Database
  db:
    image: mariadb:10.11
    container_name: mguard-db
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD:-changeme_root}
      MYSQL_DATABASE: ${DB_NAME:-mguard_vpn}
      MYSQL_USER: ${DB_USER:-mguard}
      MYSQL_PASSWORD: ${DB_PASSWORD:-changeme_db}
    volumes:
      - db_data:/var/lib/mysql
      - ./server/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
    networks:
      - mguard-network
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      interval: 10s
      timeout: 5s
      retries: 5

  # FastAPI Server + Web UI
  api:
    build:
      context: ./server
      dockerfile: Dockerfile
    container_name: mguard-api
    restart: unless-stopped
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      - DATABASE_URL=mysql+pymysql://${DB_USER:-mguard}:${DB_PASSWORD:-changeme_db}@db:3306/${DB_NAME:-mguard_vpn}
      - SECRET_KEY=${SECRET_KEY:-change_me_in_production_use_openssl_rand_hex_32}
      - ADMIN_USERNAME=${ADMIN_USERNAME:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-changeme}
      - ADMIN_EMAIL=${ADMIN_EMAIL:-admin@example.com}
      - OPENVPN_MANAGEMENT_HOST=openvpn
      - OPENVPN_MANAGEMENT_PORT=7505
      - VPN_SERVER_ADDRESS=${VPN_SERVER_ADDRESS:-vpn.example.com}
    ports:
      - "8000:8000"
    volumes:
      - ./server/app:/server/app
      - openvpn_logs:/var/log/openvpn:ro
    depends_on:
      db:
        condition: service_healthy
    networks:
      - mguard-network

  # OpenVPN Multi-Server Container (Host Network)
  # Manages multiple VPN server instances dynamically based on database configuration.
  # No need to edit docker-compose.yml when adding new VPN servers - just create them
  # via the web UI and the container will automatically start them.
  openvpn:
    build:
      context: ./openvpn
      dockerfile: Dockerfile
    container_name: mguard-openvpn
    restart: unless-stopped
    network_mode: host
    privileged: true
    cap_add:
      - NET_ADMIN
    environment:
      # API runs on localhost:8000 from container's perspective (host network)
      - API_URL=http://127.0.0.1:8000/api/internal
      - API_TIMEOUT=120
      - API_RETRY_INTERVAL=5
      - POLL_INTERVAL=30
    volumes:
      - openvpn_config:/etc/openvpn
      - openvpn_logs:/var/log/openvpn
    depends_on:
      - api

volumes:
  db_data:
    name: mguard_db_data
  openvpn_config:
    name: mguard_openvpn_config
  openvpn_logs:
    name: mguard_openvpn_logs

networks:
  mguard-network:
    name: mguard_network
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16