# Fileverse Stack — Self-hosted on Netcup
# Collab server (Y.js WebSocket relay) + kubo IPFS node + MongoDB
#
# Deploy: scp to Netcup /opt/apps/collab-server/, docker compose up -d
# Requires: Traefik proxy network
# DNS: collab.rspace.online, ipfs.rspace.online, ipfs-api.rspace.online

services:
  collab-server:
    build:
      context: .
      dockerfile: Dockerfile
    restart: unless-stopped
    environment:
      PORT: 5001
      HOST: 0.0.0.0
      NODE_ENV: production
      MONGODB_URI: mongodb://collab-mongo:27017/collaboration
      REDIS_ENABLED: "false"
      CORS_ORIGINS: "https://rnotes.jeffemmett.com,https://rspace.jeffemmett.com,https://collab.rspace.online,https://ipfs.rspace.online,http://localhost:3000,http://localhost:5173"
      SERVER_DID: "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
      RATE_LIMIT_WINDOW_MS: 900000
      RATE_LIMIT_MAX: 100
    networks:
      - traefik-public
      - collab-internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.collab.rule=Host(`collab.rspace.online`)"
      - "traefik.http.routers.collab.entrypoints=web"
      - "traefik.http.routers.collab.service=collab"
      - "traefik.http.services.collab.loadbalancer.server.port=5001"
    depends_on:
      collab-mongo:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "node -e \"fetch('http://localhost:5001/health').then(r=>process.exit(r.ok?0:1))\""]
      interval: 30s
      timeout: 5s
      retries: 3

  collab-mongo:
    image: mongo:7
    restart: unless-stopped
    volumes:
      - collab-mongo-data:/data/db
    networks:
      - collab-internal

  # ─── Self-hosted IPFS (kubo) ───
  ipfs:
    image: ipfs/kubo:v0.32.1
    restart: unless-stopped
    environment:
      - IPFS_PROFILE=server
    volumes:
      - ipfs-data:/data/ipfs
      - ./ipfs-init.sh:/container-init.d/01-config.sh:ro
    networks:
      - traefik-public
      - collab-internal
    labels:
      - "traefik.enable=true"
      # IPFS Gateway (public, read-only)
      - "traefik.http.routers.ipfs-gw.rule=Host(`ipfs.rspace.online`)"
      - "traefik.http.routers.ipfs-gw.entrypoints=web"
      - "traefik.http.routers.ipfs-gw.service=ipfs-gw"
      - "traefik.http.services.ipfs-gw.loadbalancer.server.port=8080"
      # IPFS API (private, Headscale-only access via IP allowlist)
      - "traefik.http.routers.ipfs-api.rule=Host(`ipfs-api.rspace.online`)"
      - "traefik.http.routers.ipfs-api.entrypoints=web"
      - "traefik.http.routers.ipfs-api.service=ipfs-api"
      - "traefik.http.routers.ipfs-api.middlewares=ipfs-api-ipallow"
      - "traefik.http.services.ipfs-api.loadbalancer.server.port=5001"
      # Restrict API to Headscale mesh + Cloudflare tunnel IPs
      - "traefik.http.middlewares.ipfs-api-ipallow.ipallowlist.sourcerange=100.64.0.0/10,127.0.0.1/32,172.16.0.0/12"
    healthcheck:
      test: ["CMD", "ipfs", "id"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  traefik-public:
    external: true
  collab-internal:
    driver: bridge

volumes:
  collab-mongo-data:
  ipfs-data: