# tau-rag production stack
#
# Services:
#   tau-rag   — the API server (Dockerfile.prod)
#   nginx     — reverse proxy + TLS termination + rate limiting
#   prometheus — metrics scraping
#   grafana   — dashboards
#
# Bring up: docker compose -f docker-compose.prod.yml --env-file .env up -d
# Logs:     docker compose -f docker-compose.prod.yml logs -f tau-rag
# Down:     docker compose -f docker-compose.prod.yml down

version: "3.9"

services:
  # ========================================================= tau-rag
  tau-rag:
    build:
      context: .
      dockerfile: Dockerfile.prod
    image: tau-rag:${TAU_RAG_VERSION:-prod}
    container_name: tau-rag
    restart: unless-stopped
    env_file:
      - .env
    volumes:
      - runtime:/app/runtime
      - hf-cache:/home/taurag/.cache/huggingface
      # Mount LawDBHeb as read-only (adjust host path on target machine)
      - ${LAWDBHEB_HOST_PATH:-./data/LawDBHeb}:/data/LawDBHeb:ro
    expose:
      - "8000"
    healthcheck:
      test: ["CMD", "/app/tau_rag/scripts/healthcheck.sh"]
      interval: 30s
      timeout: 5s
      start_period: 45s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "4.0"
          memory: 6G
        reservations:
          cpus: "1.0"
          memory: 2G
    networks:
      - tau-rag-net
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "5"

  # ========================================================= nginx
  nginx:
    image: nginx:1.27-alpine
    container_name: tau-rag-nginx
    restart: unless-stopped
    depends_on:
      tau-rag:
        condition: service_healthy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./deployment/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./deployment/nginx/conf.d:/etc/nginx/conf.d:ro
      - ./deployment/nginx/certs:/etc/nginx/certs:ro
    networks:
      - tau-rag-net
    logging:
      driver: json-file
      options:
        max-size: "20m"
        max-file: "5"

  # ========================================================= prometheus
  prometheus:
    image: prom/prometheus:v2.54.0
    container_name: tau-rag-prometheus
    restart: unless-stopped
    volumes:
      - ./deployment/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - ./deployment/prometheus/rules:/etc/prometheus/rules:ro
      - prometheus-data:/prometheus
    command:
      - "--config.file=/etc/prometheus/prometheus.yml"
      - "--storage.tsdb.path=/prometheus"
      - "--storage.tsdb.retention.time=30d"
      - "--web.console.libraries=/etc/prometheus/console_libraries"
      - "--web.console.templates=/etc/prometheus/consoles"
    expose:
      - "9090"
    networks:
      - tau-rag-net

  # ========================================================= grafana
  grafana:
    image: grafana/grafana:11.1.0
    container_name: tau-rag-grafana
    restart: unless-stopped
    depends_on:
      - prometheus
    environment:
      - GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER:-admin}
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-change-me}
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_AUTH_ANONYMOUS_ENABLED=false
    volumes:
      - grafana-data:/var/lib/grafana
      - ./deployment/grafana/dashboards:/etc/grafana/provisioning/dashboards:ro
      - ./deployment/grafana/datasources:/etc/grafana/provisioning/datasources:ro
    expose:
      - "3000"
    networks:
      - tau-rag-net

networks:
  tau-rag-net:
    driver: bridge

volumes:
  runtime:
  hf-cache:
  prometheus-data:
  grafana-data: