# =============================================================================
# STELLA OPS - SM REMOTE OVERLAY (China)
# =============================================================================
# SM Remote service overlay for compliance-china.yml.
# Provides SM2/SM3/SM4 (ShangMi) cryptographic operations via software provider
# or integration with OSCCA-certified hardware security modules.
#
# Usage (MUST be combined with stella-ops AND compliance-china):
#   docker compose \
#     -f docker-compose.stella-ops.yml \
#     -f docker-compose.compliance-china.yml \
#     -f docker-compose.sm-remote.yml up -d
#
# For development/testing without SM hardware, use crypto-sim.yml instead:
#   docker compose \
#     -f docker-compose.stella-ops.yml \
#     -f docker-compose.compliance-china.yml \
#     -f docker-compose.crypto-sim.yml up -d
#
# SM Algorithms Provided:
# - SM2: Public key cryptography (ECDSA-like, 256-bit curve) - GM/T 0003-2012
# - SM3: Cryptographic hash function (256-bit output) - GM/T 0004-2012
# - SM4: Block cipher (128-bit key/block, AES-like) - GM/T 0002-2012
# - SM9: Identity-based cryptography - GM/T 0044-2016
#
# Providers:
# - cn.sm.soft: Software-only implementation using BouncyCastle
# - cn.sm.remote.http: Remote HSM integration via HTTP API
#
# OSCCA Compliance:
# - All cryptographic operations use SM algorithms exclusively
# - Hardware Security Modules should be OSCCA-certified
# - Certificates comply with GM/T 0015 (Certificate Profile)
#
# =============================================================================

x-sm-remote-labels: &sm-remote-labels
  com.stellaops.component: "sm-remote"
  com.stellaops.crypto.provider: "sm"
  com.stellaops.crypto.profile: "china"
  com.stellaops.crypto.jurisdiction: "china"

x-sm-remote-env: &sm-remote-env
  STELLAOPS_CRYPTO_PROVIDERS: "cn.sm.soft,cn.sm.remote.http"
  STELLAOPS_CRYPTO_SM_REMOTE_URL: "http://sm-remote:56080"
  STELLAOPS_CRYPTO_SM_ENABLED: "true"
  SM_SOFT_ALLOWED: "1"

networks:
  stellaops:
    external: true
    name: stellaops

services:
  # ---------------------------------------------------------------------------
  # SM Remote Service - ShangMi cryptography provider
  # ---------------------------------------------------------------------------
  sm-remote:
    build:
      context: ../..
      dockerfile: devops/services/sm-remote/Dockerfile
    image: registry.stella-ops.org/stellaops/sm-remote:2025.10.0
    container_name: stellaops-sm-remote
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: "http://0.0.0.0:56080"
      ASPNETCORE_ENVIRONMENT: "Production"
      # Enable software-only SM2 provider (for testing/development)
      SM_SOFT_ALLOWED: "${SM_SOFT_ALLOWED:-1}"
      # Optional: Remote HSM configuration (for production with OSCCA-certified HSM)
      SM_REMOTE_HSM_URL: "${SM_REMOTE_HSM_URL:-}"
      SM_REMOTE_HSM_API_KEY: "${SM_REMOTE_HSM_API_KEY:-}"
      SM_REMOTE_HSM_TIMEOUT: "${SM_REMOTE_HSM_TIMEOUT:-30000}"
      # Optional: Client certificate authentication for HSM
      SM_REMOTE_CLIENT_CERT_PATH: "${SM_REMOTE_CLIENT_CERT_PATH:-}"
      SM_REMOTE_CLIENT_CERT_PASSWORD: "${SM_REMOTE_CLIENT_CERT_PASSWORD:-}"
    volumes:
      - ../../etc/sm-remote:/app/etc/sm-remote:ro
      # Optional: Mount SM key containers
      - sm-remote-keys:/var/lib/stellaops/sm-keys
    ports:
      - "${SM_REMOTE_PORT:-56080}:56080"
    networks:
      - stellaops
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:56080/status"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    labels: *sm-remote-labels

  # ---------------------------------------------------------------------------
  # Override services to use SM Remote
  # ---------------------------------------------------------------------------

  # Authority - Use SM Remote for SM2 signatures
  authority:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

  # Signer - Use SM Remote for SM2 signatures
  signer:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

  # Attestor - Use SM Remote for SM2 signatures
  attestor:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

  # Scanner Web - Use SM Remote for verification
  scanner-web:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

  # Scanner Worker - Use SM Remote for verification
  scanner-worker:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

  # Excititor - Use SM Remote for VEX signing
  excititor:
    environment:
      <<: *sm-remote-env
    depends_on:
      - sm-remote
    labels:
      com.stellaops.crypto.provider: "sm"

volumes:
  sm-remote-keys:
    name: stellaops-sm-remote-keys