# ATAuth - Self-Hosted AT Protocol Authentication
#
# Quick Start:
#   1. cp gateway/.env.example .env
#   2. Edit .env -- set your domain and generate secrets
#   3. docker compose up -d
#   4. Open https://your-domain/admin/login

services:
  atauth:
    build:
      context: ./gateway
      dockerfile: Dockerfile
    image: ghcr.io/cache8063/atauth-gateway:latest
    container_name: atauth-gateway
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
    ports:
      # Bind to localhost only -- use a reverse proxy for external access
      - "127.0.0.1:3100:3100"
    env_file: .env
    environment:
      # Override DB_PATH for container volume mount
      - DB_PATH=/app/data/gateway.db
    volumes:
      - atauth-data:/app/data
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3100/health"]
      interval: 30s
      timeout: 3s
      retries: 3
      start_period: 10s
    labels:
      # Traefik labels (uncomment if using Traefik)
      # - "traefik.enable=true"
      # - "traefik.http.routers.atauth.rule=Host(`auth.example.com`)"
      # - "traefik.http.routers.atauth.entrypoints=websecure"
      # - "traefik.http.routers.atauth.tls.certresolver=letsencrypt"
      # - "traefik.http.services.atauth.loadbalancer.server.port=3100"

      # Homepage dashboard (optional)
      - "homepage.group=Authentication"
      - "homepage.name=ATAuth Gateway"
      - "homepage.icon=lock"
      - "homepage.description=AT Protocol SSO Gateway"

volumes:
  atauth-data:
    driver: local