# WireGUI — unified compose stack
#
# Dev mode (app runs on host):
#   make dev              — starts infra + mock IdPs, runs app locally
#   make dev-up           — starts infra only
#
# Integration test mode (real WireGuard + mock clients + metrics):
#   make test-stack-up    — seeds DB, builds, starts everything
#   make test-stack-down  — tears down and removes volumes
#
# Services are opt-in: only start what you need.

services:

  # ---------------------------------------------------------------------------
  # Core infrastructure (always needed)
  # ---------------------------------------------------------------------------

  postgres:
    image: postgres:17
    ports:
      - "5432:5432"
    environment:
      POSTGRES_USER: wiregui
      POSTGRES_PASSWORD: wiregui
      POSTGRES_DB: wiregui
    volumes:
      - postgres_data:/var/lib/postgresql/data

  valkey:
    image: valkey/valkey:8
    ports:
      - "6379:6379"
    volumes:
      - valkey_data:/data

  # ---------------------------------------------------------------------------
  # Mock identity providers (dev + e2e tests)
  # ---------------------------------------------------------------------------

  # OIDC — accepts any login, issues real JWTs
  # Discovery: http://localhost:9000/test-idp/.well-known/openid-configuration
  mock-oidc:
    image: ghcr.io/navikt/mock-oauth2-server:2.1.10
    ports:
      - "9000:9000"
    environment:
      SERVER_PORT: "9000"
      JSON_CONFIG: >
        {
          "interactiveLogin": true,
          "httpServer": "NettyWrapper",
          "tokenCallbacks": [
            {
              "issuerId": "test-idp",
              "tokenExpiry": 3600,
              "requestMappings": [
                {
                  "requestParam": "scope",
                  "match": "*",
                  "claims": {
                    "sub": "$${claim:sub}",
                    "email": "$${claim:sub}@test.local",
                    "name": "Test User"
                  }
                }
              ]
            }
          ]
        }

  # SAML — SimpleSAMLphp as IdP
  # Metadata: http://localhost:8080/simplesaml/saml2/idp/metadata.php
  # Admin: http://localhost:8080/simplesaml (admin / secret)
  # Users: user1/password, user2/password
  mock-saml:
    image: kenchan0130/simplesamlphp
    ports:
      - "8080:8080"
    environment:
      SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:13000/auth/saml/test-saml/metadata"
      SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:13000/auth/saml/test-saml/callback"
      SIMPLESAMLPHP_IDP_BASE_URL: http://localhost:8080/simplesaml/
    volumes:
      - ./docker/mock-saml/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php:ro

  # ---------------------------------------------------------------------------
  # WireGUI server (integration test mode — containerized with real WG)
  # ---------------------------------------------------------------------------

  wiregui:
    build: .
    ports:
      - "13000:13000"
      # 51820/udp exposed inside Docker network only — clients connect via service name
      # Uncomment to expose to host: - "51820:51820/udp"
    environment:
      WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui
      WG_REDIS_URL: redis://valkey:6379/0
      WG_WG_ENABLED: "true"
      WG_EXTERNAL_URL: http://localhost:13000
      WG_ENDPOINT_HOST: wiregui
      WG_METRICS_ENABLED: "true"
      WG_METRICS_POLL_INTERVAL: "5"
      WG_VICTORIAMETRICS_URL: http://victoriametrics:8428
      WG_ADMIN_EMAIL: admin@test.local
      WG_ADMIN_PASSWORD: admin123
      WG_LOG_TO_FILE: "false"
      WG_SECRET_KEY: test-secret-key-for-integration
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    depends_on:
      - postgres
      - valkey

  # ---------------------------------------------------------------------------
  # Metrics (integration test mode)
  # ---------------------------------------------------------------------------

  victoriametrics:
    image: victoriametrics/victoria-metrics:v1.108.1
    ports:
      - "8428:8428"
    command:
      - "-retentionPeriod=7d"
      - "-httpListenAddr=:8428"
    volumes:
      - vm_data:/victoria-metrics-data

  # ---------------------------------------------------------------------------
  # Mock WireGuard clients (integration test mode)
  # Configs generated by: make test-stack-seed
  # ---------------------------------------------------------------------------

  client1:
    build: docker/mock-clients
    environment:
      CLIENT_IP: ${CLIENT1_IP:-10.3.2.101}
      PEER_IPS: ${CLIENT1_PEERS:-10.3.2.102 10.3.2.103}
      PING_INTERVAL: "3"
    volumes:
      - ./docker/mock-clients/configs/client1.conf:/etc/wireguard/wg0.conf:ro
    cap_add:
      - NET_ADMIN
    depends_on:
      - wiregui

  client2:
    build: docker/mock-clients
    environment:
      CLIENT_IP: ${CLIENT2_IP:-10.3.2.102}
      PEER_IPS: ${CLIENT2_PEERS:-10.3.2.101 10.3.2.103}
      PING_INTERVAL: "3"
    volumes:
      - ./docker/mock-clients/configs/client2.conf:/etc/wireguard/wg0.conf:ro
    cap_add:
      - NET_ADMIN
    depends_on:
      - wiregui

  client3:
    build: docker/mock-clients
    environment:
      CLIENT_IP: ${CLIENT3_IP:-10.3.2.103}
      PEER_IPS: ${CLIENT3_PEERS:-10.3.2.101 10.3.2.102}
      PING_INTERVAL: "3"
    volumes:
      - ./docker/mock-clients/configs/client3.conf:/etc/wireguard/wg0.conf:ro
    cap_add:
      - NET_ADMIN
    depends_on:
      - wiregui

volumes:
  postgres_data:
  valkey_data:
  vm_data: