# =============================================================================
# STELLA OPS TILE PROXY OVERLAY
# =============================================================================
# Rekor tile caching proxy for air-gapped and offline deployments.
# Caches tiles from upstream Rekor (public Sigstore or private) locally.
#
# Use Cases:
#   - Air-gapped deployments with periodic sync
#   - Reduce latency by caching frequently-accessed tiles
#   - Offline verification when upstream is unavailable
#
# Note: This is an ALTERNATIVE to running your own rekor-v2 instance.
# Use tile-proxy when you want to cache from public Sigstore.
# Use rekor-v2 (--profile sigstore) when running your own transparency log.
#
# Usage:
#   docker compose -f docker-compose.stella-ops.yml \
#     -f docker-compose.tile-proxy.yml up -d
#
# =============================================================================

x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0"
  com.stellaops.release.channel: "stable"
  com.stellaops.component: "tile-proxy"

volumes:
  tile-cache:
    driver: local
  tuf-cache:
    driver: local

services:
  tile-proxy:
    build:
      context: ../..
      dockerfile: src/Attestor/StellaOps.Attestor.TileProxy/Dockerfile
    image: registry.stella-ops.org/stellaops/tile-proxy:2025.10.0
    container_name: stellaops-tile-proxy
    restart: unless-stopped
    ports:
      - "${TILE_PROXY_PORT:-8090}:8080"
    volumes:
      - tile-cache:/var/cache/stellaops/tiles
      - tuf-cache:/var/cache/stellaops/tuf
    environment:
      # Upstream Rekor configuration
      TILE_PROXY__UPSTREAMURL: "${REKOR_SERVER_URL:-https://rekor.sigstore.dev}"
      TILE_PROXY__ORIGIN: "${REKOR_ORIGIN:-rekor.sigstore.dev - 1985497715}"

      # TUF configuration (optional - for checkpoint signature validation)
      TILE_PROXY__TUF__ENABLED: "${TILE_PROXY_TUF_ENABLED:-false}"
      TILE_PROXY__TUF__URL: "${TILE_PROXY_TUF_ROOT_URL:-}"
      TILE_PROXY__TUF__VALIDATECHECKPOINTSIGNATURE: "${TILE_PROXY_TUF_VALIDATE_CHECKPOINT:-true}"

      # Cache configuration
      TILE_PROXY__CACHE__BASEPATH: /var/cache/stellaops/tiles
      TILE_PROXY__CACHE__MAXSIZEGB: "${TILE_PROXY_CACHE_MAX_SIZE_GB:-10}"
      TILE_PROXY__CACHE__CHECKPOINTTTLMINUTES: "${TILE_PROXY_CHECKPOINT_TTL_MINUTES:-5}"

      # Sync job configuration (for air-gapped pre-fetching)
      TILE_PROXY__SYNC__ENABLED: "${TILE_PROXY_SYNC_ENABLED:-true}"
      TILE_PROXY__SYNC__SCHEDULE: "${TILE_PROXY_SYNC_SCHEDULE:-0 */6 * * *}"
      TILE_PROXY__SYNC__DEPTH: "${TILE_PROXY_SYNC_DEPTH:-10000}"

      # Request handling
      TILE_PROXY__REQUEST__COALESCINGENABLED: "${TILE_PROXY_COALESCING_ENABLED:-true}"
      TILE_PROXY__REQUEST__TIMEOUTSECONDS: "${TILE_PROXY_REQUEST_TIMEOUT_SECONDS:-30}"

      # Logging
      Serilog__MinimumLevel__Default: "${TILE_PROXY_LOG_LEVEL:-Information}"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/_admin/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    networks:
      - stellaops
    labels: *release-labels