# Production overlay. Apply on top of docker-compose.yml:
#
#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
#
# Pre-flight checks:
#   - PICLOUD_DOMAIN and PICLOUD_ADMIN_EMAIL must be set (Caddy uses them
#     for automatic Let's Encrypt issuance).
#   - POSTGRES_PASSWORD must be set to a real secret, not the dev default.

services:
  postgres:
    # Pull the published port mapping; Postgres is reachable only inside
    # the compose network in production.
    ports: !reset []
    restart: unless-stopped

  picloud:
    restart: unless-stopped
    environment:
      RUST_LOG: ${RUST_LOG:-info,picloud=info}

  dashboard:
    restart: unless-stopped

  caddy:
    # Swap the dev Caddyfile for the prod one, expose 80/443, pass the
    # domain + admin email through for Let's Encrypt.
    volumes:
      - ./caddy/Caddyfile.prod:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    ports: !override
      - "80:80"
      - "443:443"
      - "443:443/udp"
    environment:
      PICLOUD_DOMAIN: ${PICLOUD_DOMAIN}
      PICLOUD_ADMIN_EMAIL: ${PICLOUD_ADMIN_EMAIL}
    restart: unless-stopped