# ── Production Compose Overlay ─────────────────────────────────────────────────
#
# Usage:
#   make docker-prod                     # build + start with prod settings
#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
#
# Differences from dev:
#   - Runs as non-root user (timmy) from Dockerfile
#   - No bind mounts — uses image-baked source only
#   - Named volumes only (no host path dependencies)
#   - Read-only root filesystem with tmpfs for /tmp
#   - Resource limits enforced
#   - Secrets passed via environment variables (set in .env)
#
# Security note: Set all secrets in .env before deploying.
#   Required: L402_HMAC_SECRET, L402_MACAROON_SECRET

services:

  dashboard:
    # Remove dev-only root user override — use Dockerfile's USER timmy
    user: ""
    read_only: true
    tmpfs:
      - /tmp:size=100M
    volumes:
      # Override: named volume only, no host bind mounts
      - timmy-data:/app/data
      # Remove ./src and ./static bind mounts (use baked-in image files)
    environment:
      DEBUG: "false"
      TIMMY_ENV: "production"
    deploy:
      resources:
        limits:
          cpus: "2.0"
          memory: 2G

  celery-worker:
    user: ""
    read_only: true
    tmpfs:
      - /tmp:size=100M
    volumes:
      - timmy-data:/app/data
    deploy:
      resources:
        limits:
          cpus: "1.0"
          memory: 1G

# Override timmy-data to use a simple named volume (no host bind)
volumes:
  timmy-data:
    driver: local