# Secure Docker Compose Configuration
# This file contains security hardening for the infrastructure
# Use: docker-compose -f docker-compose.yml -f docker-compose.security.yml up

services:
  # Hardened Database Configuration
  db:
    image: mariadb:11.4-jammy  # Pinned version for security
    environment:
      # Use Docker secrets instead of hardcoded passwords
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
      MYSQL_DATABASE: ${DB_DATABASE:-framework}
      MYSQL_USER: ${DB_USERNAME:-app_user}
      MYSQL_PASSWORD_FILE: /run/secrets/db_user_password
      MYSQL_INITDB_SKIP_TZINFO: 1
    # Remove exposed ports - only internal container access
    ports: []
    expose:
      - "3306"
    volumes:
      - ./docker/mysql/conf.d:/etc/mysql/conf.d:ro
    secrets:
      - db_root_password
      - db_user_password
    security_opt:
      - no-new-privileges:true
    user: "999:999"  # mysql user
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - SETGID
      - SETUID
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
        reservations:
          memory: 512M

  # Hardened Redis Configuration
  redis:
    image: redis:7-alpine  # Stable version
    volumes:
      - ./docker/redis/redis-secure.conf:/usr/local/etc/redis/redis.conf:ro
    secrets:
      - redis_password
    healthcheck:
      test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "$(cat /run/secrets/redis_password)", "ping"]
      interval: 30s
      timeout: 5s
      retries: 3
    security_opt:
      - no-new-privileges:true
    user: "999:1000"
    cap_drop:
      - ALL
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: '0.5'

  # Hardened Queue Worker
  queue-worker:
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
        reservations:
          memory: 256M

  # Hardened PHP Container
  php:
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'

  # Hardened Web Container
  web:
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - NET_BIND_SERVICE
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: '0.5'

# Docker Secrets Configuration
secrets:
  db_root_password:
    file: ./secrets/db_root_password.txt
  db_user_password:
    file: ./secrets/db_user_password.txt
  redis_password:
    file: ./secrets/redis_password.txt

# Secure Networks
networks:
  frontend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false"
    internal: false
  backend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false"
    internal: true
  cache:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false" 
    internal: true