services:
  postgres:
    image: postgres:${POSTGRES_VERSION:-14}-alpine
    container_name: kratos-postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_HOST_AUTH_METHOD: ${POSTGRES_HOST_AUTH_METHOD:-scram-sha-256}
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - kratos-internal
      - ory-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
      interval: 10s
      timeout: 5s
      retries: 5
    # Port mapping removed - Kratos only needs internal network access

  kratos-migrate:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        KRATOS_VERSION: ${KRATOS_VERSION}
    container_name: kratos-migrate
    environment:
      DSN: ${KRATOS_DSN}
    command: migrate sql -e --yes --config /etc/kratos/kratos.yml
    networks:
      - kratos-internal
    depends_on:
      postgres:
        condition: service_healthy
    restart: on-failure

  kratos:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        KRATOS_VERSION: ${KRATOS_VERSION}
    container_name: kratos
    restart: unless-stopped
    ports:
      - "${KRATOS_PUBLIC_PORT:-4433}:4433"
      - "${KRATOS_ADMIN_PORT:-4434}:4434"
    volumes:
      - ./courier-templates:/etc/kratos/courier-templates:ro
    environment:
      DSN: ${KRATOS_DSN}
      SECRETS_DEFAULT: ${SECRETS_DEFAULT}
      SECRETS_COOKIE: ${SECRETS_COOKIE}
      SECRETS_CIPHER: ${SECRETS_CIPHER}
      LOG_LEVEL: ${LOG_LEVEL:-info}
      SERVE_PUBLIC_BASE_URL: ${KRATOS_PUBLIC_URL}
      SERVE_ADMIN_BASE_URL: ${KRATOS_ADMIN_URL}
      CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
      COURIER_SMTP_CONNECTION_URI: ${COURIER_SMTP_CONNECTION_URI}
      COURIER_SMTP_FROM_ADDRESS: ${COURIER_SMTP_FROM_ADDRESS}
      COURIER_SMTP_FROM_NAME: ${COURIER_SMTP_FROM_NAME}
    command: serve --config /etc/kratos/kratos.yml ${KRATOS_DEV_MODE}
    networks:
      - kratos-internal
      - ory-network
    depends_on:
      kratos-migrate:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy


  kratos-courier:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        KRATOS_VERSION: ${KRATOS_VERSION}
    container_name: kratos-courier
    restart: unless-stopped
    volumes:
      - ./courier-templates:/etc/kratos/courier-templates:ro
    environment:
      DSN: ${KRATOS_DSN}
      SECRETS_DEFAULT: ${SECRETS_DEFAULT}
      SECRETS_COOKIE: ${SECRETS_COOKIE}
      SECRETS_CIPHER: ${SECRETS_CIPHER}
      LOG_LEVEL: ${LOG_LEVEL:-info}
      SERVE_PUBLIC_BASE_URL: ${KRATOS_PUBLIC_URL}
      SERVE_ADMIN_BASE_URL: ${KRATOS_ADMIN_URL}
      COURIER_SMTP_CONNECTION_URI: ${COURIER_SMTP_CONNECTION_URI}
      COURIER_SMTP_FROM_ADDRESS: ${COURIER_SMTP_FROM_ADDRESS}
      COURIER_SMTP_FROM_NAME: ${COURIER_SMTP_FROM_NAME}
    command: courier watch --config /etc/kratos/kratos.yml
    healthcheck:
      test: ["CMD", "true"]
      interval: 30s
      timeout: 10s
      retries: 1
    networks:
      - kratos-internal
      - ory-network
    depends_on:
      kratos-migrate:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy


networks:
  kratos-internal:
    driver: bridge
  ory-network:
    external: true
    name: ory-network

volumes:
  postgres-data:
    driver: local