# =============================================================================
# STELLA OPS - INFRASTRUCTURE SERVICES
# =============================================================================
# PostgreSQL, Valkey, SeaweedFS (S3-compatible), Zot (OCI registry), Rekor v2.
#
# This file provides the shared infrastructure layer. Application services
# are defined in docker-compose.stella-services.yml and connect via the
# "stellaops" network created here.
#
# Usage (infra only):
#   docker compose -f docker-compose.stella-infra.yml up -d
#
# Usage (full stack):
#   docker compose \
#     -f docker-compose.stella-infra.yml \
#     -f docker-compose.stella-services.yml up -d
#
# With overlays (e.g., telemetry, compliance):
#   docker compose \
#     -f docker-compose.stella-infra.yml \
#     -f docker-compose.stella-services.yml \
#     -f docker-compose.telemetry.yml up -d
#
# =============================================================================

x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0"
  com.stellaops.release.channel: "stable"
  com.stellaops.profile: "default"

networks:
  stellaops:
    driver: bridge
    name: stellaops
  frontdoor:
    external: true
    name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}

volumes:
  postgres-data:
  valkey-data:
  rustfs-data:
  rekor-tiles-data:
  registry-data:

services:
  # ===========================================================================
  # INFRASTRUCTURE SERVICES
  # ===========================================================================

  postgres:
    image: docker.io/library/postgres:18.1
    container_name: stellaops-postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./postgres-init:/docker-entrypoint-initdb.d:ro
    ports:
      - "127.1.1.1:${POSTGRES_PORT:-5432}:5432"
    networks:
      stellaops:
        aliases:
          - db.stella-ops.local
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops} -d ${POSTGRES_DB:-stellaops_platform}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s
    labels: *release-labels

  valkey:
    image: docker.io/valkey/valkey:9.0.1
    container_name: stellaops-valkey
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "127.1.1.2:${VALKEY_PORT:-6379}:6379"
    networks:
      stellaops:
        aliases:
          - cache.stella-ops.local
    healthcheck:
      test: ["CMD", "valkey-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    labels: *release-labels

  rustfs:
    image: chrislusf/seaweedfs:latest
    container_name: stellaops-rustfs
    command: ["server", "-s3", "-s3.port=8333", "-volume.port=8080", "-dir=/data"]
    restart: unless-stopped
    volumes:
      - rustfs-data:/data
    ports:
      - "127.1.1.3:${RUSTFS_HTTP_PORT:-8333}:8333"
    networks:
      stellaops:
        aliases:
          - s3.stella-ops.local
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider http://127.0.0.1:8333/status || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
    labels: *release-labels

  registry:
    image: ghcr.io/project-zot/zot-linux-amd64:v2.1.3
    container_name: stellaops-registry
    restart: unless-stopped
    volumes:
      - registry-data:/var/lib/registry
      - ./zot-config.json:/etc/zot/config.json:ro
    ports:
      - "127.1.1.5:80:5000"
    networks:
      stellaops:
        aliases:
          - registry.stella-ops.local
    healthcheck:
      disable: true
    labels: *release-labels

  rekor-v2:
    image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
    container_name: stellaops-rekor
    restart: on-failure:5
    command:
      - rekor-server
      - serve
      - --http-address
      - 0.0.0.0
      - --http-port
      - "3322"
      - --grpc-address
      - 0.0.0.0
      - --grpc-port
      - "3323"
      - --signer-filepath
      - /etc/rekor/signer.pem
      - --gcp-bucket
      - ${REKOR_GCP_BUCKET:-stellaops-rekor-dev}
      - --gcp-spanner
      - ${REKOR_GCP_SPANNER:-projects/stellaops-dev/instances/rekor/databases/rekor}
    volumes:
      - rekor-tiles-data:/var/lib/rekor-tiles
      - ../../etc/authority/keys/signing-dev.pem:/etc/rekor/signer.pem:ro
    ports:
      - "127.1.1.4:${REKOR_PORT:-3322}:3322"
    networks:
      stellaops:
        aliases:
          - rekor.stella-ops.local
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3322/api/v1/log"]
      interval: 30s
      timeout: 10s
      retries: 3
    profiles: ["sigstore-local"]
    labels:
      <<: *release-labels
      com.stellaops.component: "rekor-v2"

  rekor-cli:
    image: ghcr.io/sigstore/rekor-cli:v1.4.3
    entrypoint: ["rekor-cli"]
    command: ["version"]
    profiles: ["sigstore"]
    networks: [stellaops]
    labels: *release-labels

  cosign:
    image: ghcr.io/sigstore/cosign:v3.0.4
    entrypoint: ["cosign"]
    command: ["version"]
    profiles: ["sigstore"]
    networks: [stellaops]
    labels: *release-labels