docker-compose.prod.yml

# KeyGate — Production Docker Compose
# Usage: docker compose -f docker-compose.prod.yml up -d
#
# Differences from dev (docker-compose.yml):
#   - No PHPMyAdmin service
#   - No exposed database port (3306)
#   - No exposed Redis port (6379)
#   - No test-data volume mount
#   - Restart policies on all services
#   - Web container uses built image (no live source mount)

version: '3.8'

services:
  web:
    build:
      context: .
      dockerfile: Dockerfile.php
    container_name: oem-activation-web
    restart: unless-stopped
    ports:
      - "8080:80"
      - "8443:443"
    volumes:
      - ./FINAL_PRODUCTION_SYSTEM:/var/www/html/activate
      - ./logs:/var/www/html/activate/logs
      - ./backups:/var/www/html/activate/backups
      - ./ssl:/etc/apache2/ssl
    environment:
      - DB_HOST=${DB_HOST}
      - DB_NAME=${DB_NAME}
      - DB_USER=${DB_USER}
      - DB_PASS=${DB_PASS}
      - BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-30}
      - REDIS_HOST=${REDIS_HOST:-redis}
      - REDIS_PORT=${REDIS_PORT:-6379}
      - REDIS_PASSWORD=${REDIS_PASSWORD}
      - CORS_ORIGINS=${CORS_ORIGINS:-}
      - APP_TIMEZONE=${APP_TIMEZONE:-UTC}
    depends_on:
      db:
        condition: service_healthy
    networks:
      - oem-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost/activate/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  db:
    image: mariadb:10.11
    container_name: oem-activation-db
    restart: unless-stopped
    environment:
      - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}
      - MARIADB_DATABASE=${DB_NAME}
      - MARIADB_USER=${DB_USER}
      - MARIADB_PASSWORD=${DB_PASS}
      - MARIADB_AUTO_UPGRADE=1
    # No ports exposed — only accessible from oem-network
    volumes:
      - mariadb-data:/var/lib/mysql
      - ./FINAL_PRODUCTION_SYSTEM/database/docker-init:/docker-entrypoint-initdb.d
      - ./FINAL_PRODUCTION_SYSTEM/database:/docker-entrypoint-initdb.d/sql
    networks:
      - oem-network
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    command: >
      --character-set-server=utf8mb4
      --collation-server=utf8mb4_unicode_ci
      --max_connections=200
      --innodb_buffer_pool_size=256M
      --innodb_log_file_size=64M
      --innodb_flush_log_at_trx_commit=2
      --innodb_flush_method=O_DIRECT

  redis:
    image: redis:7.2-alpine
    container_name: oem-activation-redis
    restart: unless-stopped
    command: redis-server --requirepass ${REDIS_PASSWORD} --maxmemory 256mb --maxmemory-policy allkeys-lru
    volumes:
      - redis-data:/data
    networks:
      - oem-network
    # No ports exposed — only accessible from oem-network
    healthcheck:
      test: ["CMD", "redis-cli", "--raw", "incr", "ping"]
      interval: 10s
      timeout: 3s
      retries: 5
      start_period: 10s

  # No PHPMyAdmin in production — use CLI or secure tunnel for DB admin

  backup:
    image: mariadb:10.11
    container_name: oem-activation-backup
    restart: unless-stopped
    volumes:
      - ./FINAL_PRODUCTION_SYSTEM/scripts:/scripts:ro
      - ./backups:/var/www/html/activate/backups
    environment:
      - DB_HOST=${DB_HOST:-db}
      - DB_NAME=${DB_NAME}
      - DB_USER=${DB_USER}
      - DB_PASS=${DB_PASS}
      - BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-30}
    entrypoint: >
      sh -c 'echo "0 3 * * * /scripts/backup-database.sh >> /var/log/backup.log 2>&1" | crontab - && crond -f'
    depends_on:
      db:
        condition: service_healthy
    networks:
      - oem-network

networks:
  oem-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16

volumes:
  mariadb-data:
    driver: local
  redis-data:
    driver: local