# =============================================================================
# felhom-controller Docker Compose
# This is deployed as an infrastructure component alongside Traefik/Cloudflared
# =============================================================================

services:
  felhom-controller:
    image: gitea.dooplex.hu/admin/felhom-controller:latest
    container_name: felhom-controller
    restart: unless-stopped
    privileged: true                    # Required for disk operations (mkfs, mount, sfdisk)
    ports:
      - "8080:8080"
      - "8081:8081"                       # Setup wizard direct HTTP (only active during setup mode)
    volumes:
      # Docker socket — required for compose operations + DB dumps (docker exec)
      - /var/run/docker.sock:/var/run/docker.sock
      # Controller directory (compose file access for self-update)
      - /opt/docker/felhom-controller:/opt/docker/felhom-controller
      # Controller config (read-only override on top of directory mount)
      - /opt/docker/felhom-controller/controller.yaml:/opt/docker/felhom-controller/controller.yaml:ro
      # Controller persistent data (named volume override on top of directory mount)
      - controller-data:/opt/docker/felhom-controller/data
      # Stack compose files (read + write for git sync)
      - /opt/docker/stacks:/opt/docker/stacks
      # Backup directories (restic repo + db dumps)
      - /srv/backups:/srv/backups
      # All external storage — rshared propagation so mounts created inside
      # the container (disk init) propagate to the host and vice versa
      - type: bind
        source: /mnt
        target: /mnt
        bind:
          propagation: rshared
      # Host /sys — for CPU temperature reading (read-only)
      - /sys:/host/sys:ro
      # Host OS info — for monitoring page system info
      - /etc/os-release:/host/etc/os-release:ro
      # Host hostname — for monitoring page (os.Hostname() returns container ID)
      - /etc/hostname:/host/etc/hostname:ro
      # Block devices — mounted at /host-dev (can't override Docker's /dev tmpfs)
      - /dev:/host-dev:rw
      # Host fstab — UUID-based mount persistence (mounted as /host-fstab inside container)
      - /etc/fstab:/host-fstab
      # udev metadata — for blkid/lsblk device model info
      - /run/udev:/run/udev:ro
    environment:
      - TZ=Europe/Budapest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.controller.rule=Host(`felhom.${DOMAIN}`)"
      - "traefik.http.routers.controller.entrypoints=websecure"
      - "traefik.http.routers.controller.tls=true"
      - "traefik.http.services.controller.loadbalancer.server.port=8080"
      - "traefik.docker.network=traefik-public"
      # Catch-all: branded error page for stopped/undeployed app subdomains
      # Priority 1 = lowest, so running app routers always win.
      # No certresolver — uses Traefik's default cert store (previously issued certs).
      - "traefik.http.routers.catchall.rule=HostRegexp(`.+`)"
      - "traefik.http.routers.catchall.priority=1"
      - "traefik.http.routers.catchall.entrypoints=websecure"
      - "traefik.http.routers.catchall.tls=true"
      - "traefik.http.routers.catchall.service=controller"
      # Health check labels for monitoring
      - "felhom.managed=true"
      - "felhom.component=controller"
    networks:
      - traefik-public
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3

volumes:
  controller-data:

networks:
  traefik-public:
    external: true