services:
  frontend:
    container_name: ca-lose-frontend
    hostname: lose-verkaufen
    build: ./frontend
    restart: unless-stopped

  backend:
    container_name: ca-lose-backend
    build: ./backend
    environment:
      NODE_ENV: production
      DB_HOST: ca-lose-mysql
      DB_USER: root
      DB_PASSWORD: ${DB_PASSWORD}
      DB_NAME: ca_lose
    depends_on:
      - database
    networks:
      - ca-lose-internal
    restart: unless-stopped

  database:
    container_name: ca-lose-mysql
    image: mysql:8.0
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
      MYSQL_DATABASE: ca_lose
      TZ: Europe/Berlin
    volumes:
      - ca-lose_mysql:/var/lib/mysql
      - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro
    networks:
      - ca-lose-internal

  wireguard:
    container_name: ca-lose-wireguard
    image: ghcr.io/wg-easy/wg-easy
    environment:
      - WG_HOST=${WG_HOST}
      - WG_DEFAULT_ADDRESS=10.10.0.x
      - WG_DEFAULT_DNS=1.1.1.1
      - WG_ALLOWED_IPS=172.25.0.0/24
      - WG_PORT=51830
      - PASSWORD_HASH=${WG_PASSWORD_HASH}
    volumes:
      - ./wireguard-data:/etc/wireguard
    ports:
      - "127.0.0.1:51830:51820/udp" # WireGuard nur lokal erreichbar, Host-Port 51830
      - "127.0.0.1:51821:51821/tcp" # Web-UI nur lokal erreichbar
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - ca-lose-internal
      - proxynet
    restart: unless-stopped

volumes:
  ca-lose_mysql:
  wireguard-data:

networks:
  ca-lose-internal:
    driver: bridge
    ipam:
      config:
        - subnet: 172.25.0.0/24
  proxynet:
    external: true