# Draft target path on vps.git: ~/git-kc/compose.yaml
# Notes:
# - Keep nginx on the host.
# - Keep MySQL private inside the Docker network.
# - First migration run: Keycloak uses --import-realm.
#   After successful import, you may remove --import-realm for steady-state.
# - This draft assumes Gitea SSH is disabled for phase 1.

services:
  mysql:
    image: ${MYSQL_IMAGE}
    container_name: git-kc-mysql
    restart: unless-stopped
    env_file:
      - .env
    environment:
      TZ: ${TZ}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
    command:
      - --character-set-server=utf8mb4
      - --collation-server=utf8mb4_0900_ai_ci
      - --default-authentication-plugin=caching_sha2_password
      - --skip-name-resolve
    volumes:
      - ./mysql/data:/var/lib/mysql
      - ./mysql/init:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ["CMD-SHELL", "mysqladmin ping -uroot -p$$MYSQL_ROOT_PASSWORD --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 20s
    networks:
      - git-kc-net

  gitea:
    image: ${GITEA_IMAGE}
    container_name: git-kc-gitea
    restart: unless-stopped
    depends_on:
      mysql:
        condition: service_healthy
    env_file:
      - .env
    user: "${GITEA_UID}:${GITEA_GID}"
    environment:
      TZ: ${TZ}
      USER_UID: ${GITEA_UID}
      USER_GID: ${GITEA_GID}
      HOME: /home/git
      GITEA_WORK_DIR: /var/lib/gitea
      GITEA_CUSTOM: /var/lib/gitea/custom
    working_dir: /var/lib/gitea
    command: ["gitea", "web", "--config", "/etc/gitea/app.ini"]
    ports:
      - "${GITEA_HOST_BIND}:${GITEA_HTTP_PORT}:3000"
    volumes:
      - /var/lib/gitea:/var/lib/gitea
      - /home/git:/home/git
      - ./gitea/app.ini:/etc/gitea/app.ini:ro
    healthcheck:
      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:3000/ || exit 1"]
      interval: 15s
      timeout: 5s
      retries: 10
      start_period: 30s
    networks:
      - git-kc-net

  keycloak:
    image: ${KEYCLOAK_IMAGE}
    container_name: git-kc-keycloak
    restart: unless-stopped
    depends_on:
      mysql:
        condition: service_healthy
    env_file:
      - .env
    environment:
      TZ: ${TZ}
      KC_DB: mysql
      KC_DB_URL_HOST: ${KC_DB_URL_HOST}
      KC_DB_URL_PORT: ${KC_DB_URL_PORT}
      KC_DB_URL_DATABASE: ${KC_DB_URL_DATABASE}
      KC_DB_USERNAME: ${KC_DB_USERNAME}
      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
      KC_HOSTNAME: ${KC_HOSTNAME}
      KC_HTTP_ENABLED: "true"
      KC_PROXY_HEADERS: xforwarded
      KC_HEALTH_ENABLED: "true"
      KC_METRICS_ENABLED: "true"
      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
    command:
      - start
    ports:
      - "${KEYCLOAK_HOST_BIND}:${KEYCLOAK_HTTP_PORT}:8080"
    volumes:
      - ./keycloak/import:/opt/keycloak/data/import:ro
    healthcheck:
      test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/127.0.0.1/8080' && exit 0 || exit 1"]
      interval: 15s
      timeout: 5s
      retries: 20
      start_period: 45s
    networks:
      - git-kc-net

  harborforge-monitor:
    image: git.hangman-lab.top/zhi/harborforge-monitor:latest
    container_name: harborforge-monitor
    restart: unless-stopped
    environment:
      HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf.hangman-lab.top}
      HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER}
      HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY}
      HF_MONITER_REPORT_INTERVAL: "30"
      HF_MONITER_LOG_LEVEL: info
      HF_MONITER_ROOTFS: /host
    volumes:
      - /:/host:ro
    network_mode: host

networks:
  git-kc-net:
    name: ${DOCKER_NETWORK_NAME}
    driver: bridge