services:
  db:
    image: postgres:16-alpine
    container_name: letsbe-hub-db
    env_file: .env
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-letsbe_hub}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB:-letsbe_hub}
    volumes:
      - hub-db-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-letsbe_hub} -d ${POSTGRES_DB:-letsbe_hub}"]
      interval: 5s
      timeout: 5s
      retries: 5
    restart: unless-stopped
    networks:
      - hub-internal

  hub:
    image: code.letsbe.solutions/letsbe/hub:${HUB_IMAGE_TAG:-master}
    container_name: letsbe-hub-app
    env_file: .env
    environment:
      # Database
      DATABASE_URL: postgresql://${POSTGRES_USER:-letsbe_hub}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-letsbe_hub}
      # Auth
      NEXTAUTH_URL: ${HUB_URL}
      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET}
      AUTH_TRUST_HOST: "true"
      # Hub URL (for runner callbacks)
      HUB_URL: ${HUB_URL}
      # Encryption keys
      CREDENTIAL_ENCRYPTION_KEY: ${CREDENTIAL_ENCRYPTION_KEY}
      SETTINGS_ENCRYPTION_KEY: ${SETTINGS_ENCRYPTION_KEY}
      # Docker spawner config (for ansible runner)
      DOCKER_REGISTRY_URL: ${DOCKER_REGISTRY_URL:-code.letsbe.solutions}
      DOCKER_IMAGE_NAME: ${DOCKER_IMAGE_NAME:-letsbe/ansible-runner}
      DOCKER_IMAGE_TAG: ${DOCKER_IMAGE_TAG:-master}
      DOCKER_MAX_CONCURRENT: ${DOCKER_MAX_CONCURRENT:-3}
      # Host paths for job configs (runner containers need access)
      JOBS_HOST_DIR: ${JOBS_HOST_DIR:-/opt/letsbe-hub/jobs}
      LOGS_HOST_DIR: ${LOGS_HOST_DIR:-/opt/letsbe-hub/logs}
    volumes:
      # Docker socket for spawning runner containers
      - /var/run/docker.sock:/var/run/docker.sock
      # Job configs (bind mount to host path so runners can access)
      - ${JOBS_HOST_DIR:-/opt/letsbe-hub/jobs}:/app/jobs
      - ${LOGS_HOST_DIR:-/opt/letsbe-hub/logs}:/app/logs
    # Run as root to access Docker socket
    user: "0:0"
    depends_on:
      db:
        condition: service_healthy
    restart: unless-stopped
    networks:
      - hub-internal
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hub.rule=Host(`${HUB_DOMAIN}`)"
      - "traefik.http.routers.hub.entrypoints=websecure"
      - "traefik.http.routers.hub.tls.certresolver=letsencrypt"
      - "traefik.http.services.hub.loadbalancer.server.port=3000"

volumes:
  hub-db-data:
    name: letsbe-hub-db

networks:
  hub-internal:
  traefik:
    external: true