version: '3.8'

services:
  # SecretumVault with etcd backend
  vault:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: secretumvault
    environment:
      RUST_LOG: info
      VAULT_CONFIG: /etc/secretumvault/svault.toml
    ports:
      - "8200:8200"  # API
      - "9090:9090"  # Metrics
    volumes:
      - ./docker/config/svault.toml:/etc/secretumvault/svault.toml:ro
      - vault-data:/var/lib/secretumvault
    depends_on:
      etcd:
        condition: service_healthy
    networks:
      - vault-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8200/v1/sys/health"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 10s

  # etcd key-value store
  etcd:
    image: quay.io/coreos/etcd:v3.5.9
    container_name: vault-etcd
    environment:
      ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
      ETCD_ADVERTISE_CLIENT_URLS: http://etcd:2379
      ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
      ETCD_INITIAL_ADVERTISE_PEER_URLS: http://etcd:2380
      ETCD_INITIAL_CLUSTER: default=http://etcd:2380
      ETCD_INITIAL_CLUSTER_STATE: new
      ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
      ETCD_NAME: default
    ports:
      - "2379:2379"  # Client API
      - "2380:2380"  # Peer API
    volumes:
      - etcd-data:/etcd-data
    networks:
      - vault-network
    healthcheck:
      test: ["CMD", "etcdctl", "--endpoints=http://localhost:2379", "endpoint", "health"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 10s

  # SurrealDB for alternative storage
  surrealdb:
    image: surrealdb/surrealdb:latest
    container_name: vault-surrealdb
    command: start --log info file://surrealdb.db
    ports:
      - "8000:8000"  # API
    volumes:
      - surrealdb-data:/surrealdb-data
    networks:
      - vault-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 10s

  # PostgreSQL for optional backend
  postgres:
    image: postgres:15-alpine
    container_name: vault-postgres
    environment:
      POSTGRES_DB: secretumvault
      POSTGRES_USER: vault
      POSTGRES_PASSWORD: vault-dev-only
    ports:
      - "5432:5432"
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - vault-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U vault"]
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 10s

  # Prometheus for metrics scraping
  prometheus:
    image: prom/prometheus:latest
    container_name: vault-prometheus
    ports:
      - "9091:9090"
    volumes:
      - ./docker/config/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - prometheus-data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
    networks:
      - vault-network
    depends_on:
      - vault

  # Grafana for visualization
  grafana:
    image: grafana/grafana:latest
    container_name: vault-grafana
    environment:
      GF_SECURITY_ADMIN_PASSWORD: admin
      GF_SECURITY_ADMIN_USER: admin
    ports:
      - "3000:3000"
    volumes:
      - grafana-data:/var/lib/grafana
      - ./docker/config/grafana/dashboards:/etc/grafana/provisioning/dashboards:ro
      - ./docker/config/grafana/datasources:/etc/grafana/provisioning/datasources:ro
    networks:
      - vault-network
    depends_on:
      - prometheus

volumes:
  vault-data:
  etcd-data:
  surrealdb-data:
  postgres-data:
  prometheus-data:
  grafana-data:

networks:
  vault-network:
    driver: bridge