services:
  backend:
    image: ghcr.io/danielvolz/medassist-ng-backend:main
    container_name: medassist-ng-backend
    env_file:
      - .env
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - DATA_DIR=/app/data
    volumes:
      - ./data:/app/data
    ports:
      - "4000:3000"
    networks:
      - medassist-ng-net
    # Security options
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
    healthcheck:
      test: ["CMD", "node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

  frontend:
    image: ghcr.io/danielvolz/medassist-ng-frontend:main
    container_name: medassist-ng-frontend
    environment:
      - BACKEND_URL=backend:3000
    ports:
      - "4174:8080"
    networks:
      - medassist-ng-net
    depends_on:
      backend:
        condition: service_healthy
    # Security options
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
      - /var/cache/nginx:noexec,nosuid,size=64m
      - /var/run:noexec,nosuid,size=64m
    cap_drop:
      - ALL

networks:
  medassist-ng-net:
    driver: bridge