services:

  db:
    image: mariadb:11
    restart: unless-stopped
    environment:
      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD:-rootsecret}
      MARIADB_DATABASE:      ${ARA_DATABASE_NAME:-ara}
      MARIADB_USER:          ${ARA_DATABASE_USER:-ara}
      MARIADB_PASSWORD:      ${ARA_DATABASE_PASSWORD:-arasecret}
    volumes:
      - db_data:/var/lib/mysql
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

  ara:
    build:
      context: .
      dockerfile: docker/Dockerfile
    image: ara:latest
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    ports:
      - "${ARA_PORT:-8000}:${ARA_PORT:-8000}"
    environment:
      # -----------------------------------------------------------------------
      # Core
      # -----------------------------------------------------------------------
      ARA_BASE_DIR:    /opt/ara
      # SECRET_KEY must be set to a stable random value — if left unset a new
      # key is generated on every container start, invalidating Django sessions.
      # Generate one with: python3 -c "import secrets; print(secrets.token_hex(50))"
      ARA_SECRET_KEY:  ${ARA_SECRET_KEY:?ARA_SECRET_KEY must be set in .env}
      ARA_ALLOWED_HOSTS: ${ARA_ALLOWED_HOSTS:-["*"]}
      ARA_TIME_ZONE:   ${TZ:-UTC}
      ARA_LOG_LEVEL:   ${ARA_LOG_LEVEL:-INFO}
      # System timezone used by crond — keep in sync with ARA_TIME_ZONE
      TZ:              ${TZ:-UTC}

      # -----------------------------------------------------------------------
      # Database — MariaDB
      # -----------------------------------------------------------------------
      ARA_DATABASE_ENGINE:       django.db.backends.mysql
      ARA_DATABASE_NAME:         ${ARA_DATABASE_NAME:-ara}
      ARA_DATABASE_HOST:         db
      ARA_DATABASE_PORT:         ${ARA_DATABASE_PORT:-3306}
      ARA_DATABASE_USER:         ${ARA_DATABASE_USER:-ara}
      ARA_DATABASE_PASSWORD:     ${ARA_DATABASE_PASSWORD:-arasecret}
      ARA_DATABASE_CONN_MAX_AGE: ${ARA_DATABASE_CONN_MAX_AGE:-60}

      # -----------------------------------------------------------------------
      # Security / auth
      # -----------------------------------------------------------------------
      ARA_READ_LOGIN_REQUIRED:  ${ARA_READ_LOGIN_REQUIRED:-false}
      ARA_WRITE_LOGIN_REQUIRED: ${ARA_WRITE_LOGIN_REQUIRED:-false}

      # -----------------------------------------------------------------------
      # Server tuning
      # -----------------------------------------------------------------------
      ARA_PORT:             ${ARA_PORT:-8000}
      ARA_GUNICORN_WORKERS: ${ARA_GUNICORN_WORKERS:-4}
      ARA_PAGE_SIZE:        ${ARA_PAGE_SIZE:-100}

      # -----------------------------------------------------------------------
      # Maintenance — prune playbooks older than ARA_PRUNE_DAYS
      # -----------------------------------------------------------------------
      ARA_PRUNE_DAYS: ${ARA_PRUNE_DAYS:-30}
      ARA_PRUNE_CRON: ${ARA_PRUNE_CRON:-0 2 * * *}

volumes:
  db_data: