services:

  # ── App Elysia/Bun ────────────────────────────────────────────────────────
  app:
    build:
      context: .
      dockerfile: Dockerfile
      target: runner
    restart: unless-stopped
    # Port NON exposé publiquement : nginx est le seul point d'entrée
    expose:
      - "3000"
    environment:
      NODE_ENV: production
      STRIPE_SECRET_KEY:     ${STRIPE_SECRET_KEY}
      STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET}
      DOMAIN:                ${DOMAIN:-http://localhost}
    networks:
      - rebour-net
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://localhost:3000/robots.txt || exit 1"]
      interval: 5s
      timeout: 3s
      retries: 5
      start_period: 5s

  # ── Nginx : reverse proxy, gzip, cache headers, rate-limit API ───────────
  nginx:
    image: nginx:1.27-alpine
    restart: on-failure
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      # En prod : décommenter + monter les certificats Let's Encrypt
      # - /etc/letsencrypt:/etc/letsencrypt:ro
      - nginx-logs:/var/log/nginx
    depends_on:
      - app
    networks:
      - rebour-net

networks:
  rebour-net:
    driver: bridge

volumes:
  nginx-logs: