# TrueNAS homelab override — public hosting at https://cannamanage.plate-software.de
# Applied on top of docker-compose.yml for the homelab deployment on TrueNAS.local.
#
# Topology (same proven chain as Gitea + InspectFlow):
#   browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh)
#          ──ProxyPass──> VPS frps (85.214.154.199:30010)
#          ──frp tunnel──> TrueNAS frpc ──> frontend:3000 (this stack)
#   frontend proxies /api/backend/* to backend:8080 via the server-side
#   Route Handler (src/app/api/backend/[...path]/route.ts), so only the
#   frontend port needs to be tunnelled — no separate API exposure.
#
# Usage (run by the Gitea act_runner on push to main):
#   docker compose -f docker-compose.yml -f docker-compose.truenas.yml \
#     -p cannamanage up -d --build --remove-orphans
services:
  db:
    # POSTGRES_PASSWORD only takes effect on FIRST volume init; the existing
    # cannamanage_pgdata volume keeps its current role password. The live role
    # password is rotated out-of-band via `ALTER USER` to match ${DB_PASSWORD}.
    # This value is here so a fresh volume initialises with the prod password.
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}

  backend:
    # Host port 8080 is taken by odysseus-searxng-1; remap to 8081.
    # !override replaces the inherited ports list (compose merges lists by concat otherwise).
    # Internal container port stays 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected.
    ports: !override
      - "8081:8080"
    environment:
      # Real production password (must match the live DB role, see ALTER USER above).
      SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
      # Rotated production JWT signing key (base64 — JwtService base64-decodes it).
      # Rotating this invalidates all previously issued access/refresh tokens.
      CANNAMANAGE_SECURITY_JWT_SECRET: ${JWT_SECRET}

  frontend:
    environment:
      # Public origin so NextAuth callbacks/cookies resolve to the HTTPS host.
      NEXTAUTH_URL: https://cannamanage.plate-software.de
      AUTH_URL: https://cannamanage.plate-software.de
      # NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions.
      AUTH_SECRET: ${AUTH_SECRET}
      # Trust the X-Forwarded-* headers from the Apache/frp chain (we terminate
      # TLS upstream and proxy plain HTTP into the container).
      AUTH_TRUST_HOST: "true"
      # Server-side proxy target for /api/backend/* (internal compose DNS).
      BACKEND_URL: http://backend:8080