services:
  app:
    build:
      context: .
      target: runner
    restart: always
    networks:
      - traefik-public
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.axil.entrypoints=websecure"
      - "traefik.http.routers.axil.rule=Host(`axil.ai-impress.com`)"
      - "traefik.http.routers.axil.tls.certresolver=cloudflare"
      - "traefik.http.routers.axil.middlewares=security-headers@file"
      - "traefik.http.services.axil.loadbalancer.server.port=3000"
      - "traefik.docker.network=traefik-public"
    env_file:
      - .env.production
    depends_on:
      db:
        condition: service_healthy

  db:
    image: postgres:17-alpine
    restart: always
    networks:
      - internal
    environment:
      POSTGRES_USER: ${DB_USER:-axil}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_DB: ${DB_NAME:-axil}
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U ${DB_USER:-axil}']
      interval: 5s
      timeout: 5s
      retries: 10

networks:
  traefik-public:
    external: true
  internal:
    driver: bridge

volumes:
  pgdata: