# =============================================================================
# PRODUCTION DOCKER COMPOSE - Security Hardened
# =============================================================================

services:
  backend:
    image: git.danielvolz.org/daniel/medassist/backend:0.0.1
    env_file:
      - .env
    volumes:
      - ./data:/app/data
    ports:
      - "4000:3000"
    # Security options
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    cap_drop:
      - ALL
    healthcheck:
      test: ["CMD", "/nodejs/bin/node", "-e", "require('http').get('http://localhost:3000/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

  frontend:
    image: git.danielvolz.org/daniel/medassist/frontend:0.0.1
    ports:
      - "4174:8080"
    depends_on:
      backend:
        condition: service_healthy
    # Security options
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
      - /var/cache/nginx:noexec,nosuid,size=64m
      - /var/run:noexec,nosuid,size=64m
    cap_drop:
      - ALL