# =============================================================================
# STELLA OPS - CRYPTOPRO CSP OVERLAY (Russia)
# =============================================================================
# CryptoPro CSP licensed provider overlay for compliance-russia.yml.
# Adds real CryptoPro CSP service for certified GOST R 34.10-2012 operations.
#
# IMPORTANT: Requires EULA acceptance before use.
#
# Usage (MUST be combined with stella-ops AND compliance-russia):
#   CRYPTOPRO_ACCEPT_EULA=1 docker compose \
#     -f docker-compose.stella-ops.yml \
#     -f docker-compose.compliance-russia.yml \
#     -f docker-compose.cryptopro.yml up -d
#
# For development/testing without CryptoPro license, use crypto-sim.yml instead:
#   docker compose \
#     -f docker-compose.stella-ops.yml \
#     -f docker-compose.compliance-russia.yml \
#     -f docker-compose.crypto-sim.yml up -d
#
# Requirements:
# - CryptoPro CSP license files in opt/cryptopro/downloads/
# - CRYPTOPRO_ACCEPT_EULA=1 environment variable
# - CryptoPro container images with GOST engine
#
# GOST Algorithms Provided:
# - GOST R 34.10-2012: Digital signature (256/512-bit)
# - GOST R 34.11-2012: Hash function (Streebog, 256/512-bit)
# - GOST R 34.12-2015: Block cipher (Kuznyechik, Magma)
#
# =============================================================================

x-cryptopro-labels: &cryptopro-labels
  com.stellaops.component: "cryptopro-csp"
  com.stellaops.crypto.provider: "cryptopro"
  com.stellaops.crypto.profile: "russia"
  com.stellaops.crypto.certified: "true"

x-cryptopro-env: &cryptopro-env
  STELLAOPS_CRYPTO_PROVIDERS: "cryptopro.gost"
  STELLAOPS_CRYPTO_CRYPTOPRO_URL: "http://cryptopro-csp:8080"
  STELLAOPS_CRYPTO_CRYPTOPRO_ENABLED: "true"

networks:
  stellaops:
    external: true
    name: stellaops

services:
  # ---------------------------------------------------------------------------
  # CryptoPro CSP - Certified GOST cryptography provider
  # ---------------------------------------------------------------------------
  cryptopro-csp:
    build:
      context: ../..
      dockerfile: devops/services/cryptopro/linux-csp-service/Dockerfile
      args:
        CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
    image: registry.stella-ops.org/stellaops/cryptopro-csp:2025.10.0
    container_name: stellaops-cryptopro-csp
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: "http://0.0.0.0:8080"
      CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
      # GOST algorithm configuration
      CRYPTOPRO_GOST_SIGNATURE_ALGORITHM: "GOST R 34.10-2012"
      CRYPTOPRO_GOST_HASH_ALGORITHM: "GOST R 34.11-2012"
      # Container and key store settings
      CRYPTOPRO_CONTAINER_NAME: "${CRYPTOPRO_CONTAINER_NAME:-stellaops-signing}"
      CRYPTOPRO_USE_MACHINE_STORE: "${CRYPTOPRO_USE_MACHINE_STORE:-true}"
      CRYPTOPRO_PROVIDER_TYPE: "${CRYPTOPRO_PROVIDER_TYPE:-80}"
    volumes:
      - ../../opt/cryptopro/downloads:/opt/cryptopro/downloads:ro
      - ../../etc/cryptopro:/app/etc/cryptopro:ro
      # Optional: Mount key containers
      - cryptopro-keys:/var/opt/cprocsp/keys
    ports:
      - "${CRYPTOPRO_PORT:-18080}:8080"
    networks:
      - stellaops
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    labels: *cryptopro-labels

  # ---------------------------------------------------------------------------
  # Override services to use CryptoPro
  # ---------------------------------------------------------------------------

  # Authority - Use CryptoPro for GOST signatures
  authority:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

  # Signer - Use CryptoPro for GOST signatures
  signer:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

  # Attestor - Use CryptoPro for GOST signatures
  attestor:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

  # Scanner Web - Use CryptoPro for verification
  scanner-web:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

  # Scanner Worker - Use CryptoPro for verification
  scanner-worker:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

  # Excititor - Use CryptoPro for VEX signing
  excititor:
    environment:
      <<: *cryptopro-env
    depends_on:
      - cryptopro-csp
    labels:
      com.stellaops.crypto.provider: "cryptopro"

volumes:
  cryptopro-keys:
    name: stellaops-cryptopro-keys