# WARNING: Do not deploy this tutorial configuration directly to a production environment
#
# The tutorial docker-compose files have not been written for production deployment and will not
# scale. A proper architecture has been sacrificed to keep the narrative focused on the learning
# goals, they are just used to deploy everything onto a single Docker machine. All FIWARE components
# are running at full debug and extra ports have been exposed to allow for direct calls to services.
# They also contain various obvious security flaws - passwords in plain text, no load balancing,
# no use of HTTPS and so on.
#
# This is all to avoid the need of multiple machines, generating certificates, encrypting secrets
# and so on, purely so that a single docker-compose file can be read as an example to build on,
# not use directly.
#
# When deploying to a production environment, please refer to the Helm Repository
# for FIWARE Components in order to scale up to a proper architecture:
#
# see: https://github.com/FIWARE/helm-charts/
#
version: "3.5"
services:
  # Orion is the context broker
  orionld:
    image: fiware/orion-ld:${ORION_LD_VERSION}
    container_name: fiware-orionld
    hostname: orionld
    depends_on:
      - mongo-db
    networks:
      default:
        ipv4_address: ${ORION_LD_IP}

    ports:
      - "${ORION_LD_PORT}:${ORION_LD_PORT}" # localhost:1026
    command: -dbhost mongo-db -logLevel DEBUG
    healthcheck:
      test: curl --fail -s http://orionld:${ORION_LD_PORT}/version || exit 1

  # Keyrock is an Identity Management Front-End
  idm:
    image: fiware/idm:${KEYROCK_VERSION}
    container_name: fiware-idm
    hostname: idm
    networks:
      default:
        ipv4_address: ${KEYROCK_IP}
    depends_on:
      - mysql-db
    ports:
      - "${KEYROCK_PORT}:${KEYROCK_PORT}" # localhost:3005
    environment:
      - DEBUG=idm:*
      - IDM_DB_HOST=mysql-db
      - IDM_DB_PASS_FILE=/run/secrets/my_secret_data
      - IDM_DB_USER=root
      - IDM_HOST=http://localhost:${KEYROCK_PORT}
      - IDM_PORT=${KEYROCK_PORT}
      - IDM_HTTPS_ENABLED=${IDM_HTTPS_ENABLED}
      - IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT}
      - IDM_ADMIN_USER=Alice
      - IDM_ADMIN_EMAIL=alice-the-admin@test.com
      - IDM_ADMIN_PASS=test
      # - IDM_EIDAS_ENABLED=true                               # Enable IdM to allow user authentication in services using their eID (true,false)
      # - IDM_EIDAS_GATEWAY_HOST=localhost                     # Name of the host in which IdM is running
      # - IDM_EIDAS_NODE_HOST=https://eidas.node.es/EidasNode  # Name of the host in which is running node eIDAS Service
      # - IDM_EIDAS_METADATA_LIFETIME=31536000                 # Lifetime of metadata of a service with eIDAS authentication enabled in seconds (1 year)
    secrets:
      - my_secret_data
    healthcheck:
      test: curl --fail -s http://localhost:${KEYROCK_PORT}/version || exit 1

  # PEP Proxy for Orion
  orion-pep-proxy:
    image: fiware/pep-proxy:${WILMA_VERSION}
    container_name: fiware-orion-pep-proxy
    hostname: orion-pep-proxy
    networks:
      default:
        ipv4_address: ${ORION_PROXY_IP}
    depends_on:
      - idm
    deploy:
      restart_policy:
        condition: on-failure
    ports:
      - "${ORION_PROXY_PORT}:${ORION_PROXY_PORT}" # localhost:1027
    expose:
      - "${ORION_PROXY_PORT}"
    environment:
      - PEP_PROXY_APP_HOST=orionld
      - PEP_PROXY_APP_PORT=${ORION_LD_PORT}
      - PEP_PROXY_PORT=${ORION_PROXY_PORT}
      - PEP_PROXY_IDM_HOST=idm
      - PEP_PROXY_HTTPS_ENABLED=false
      - PEP_PROXY_AUTH_ENABLED=true
      - PEP_PROXY_IDM_SSL_ENABLED=false
      - PEP_PROXY_IDM_PORT=${KEYROCK_PORT}
      - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp
      - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000
      - PEP_PASSWORD=test
      - PEP_PROXY_PDP=idm
      - PEP_PROXY_MAGIC_KEY=1234
      - PEP_PROXY_PUBLIC_PATHS=/version
    healthcheck:
      test: curl --fail -s http://orion-pep-proxy:${ORION_PROXY_PORT}/version || exit 1

  # Databases
  mongo-db:
    image: mongo:${MONGO_DB_VERSION}
    container_name: mongo-db
    hostname: mongo-db
    expose:
      - "${MONGO_DB_PORT}"
    ports:
      - "${MONGO_DB_PORT}:${MONGO_DB_PORT}" # localhost:27017
    networks:
      - default
    command: --bind_ip_all --smallfiles
    volumes:
      - mongo-db:/data
    healthcheck:
      test: |
        host=`hostname --ip-address || echo '127.0.0.1'`;
        mongo --quiet $host/test --eval 'quit(db.runCommand({ ping: 1 }).ok ? 0 : 2)' && echo 0 || echo 1

  mysql-db:
    restart: always
    image: mysql:${MYSQL_DB_VERSION}
    hostname: mysql-db
    container_name: mysql-db
    expose:
      - "${MYSQL_DB_PORT}"
    ports:
      - "${MYSQL_DB_PORT}:${MYSQL_DB_PORT}" # localhost:3306
    networks:
      default:
        ipv4_address: ${MYSQL_DB_IP}
    environment:
      - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data"
      - "MYSQL_ROOT_HOST=${KEYROCK_IP}" # Allow Keyrock to access this database
    volumes:
      - mysql-db:/var/lib/mysql
    secrets:
      - my_secret_data

# Need to check the IP address to select one not used locally in docker engine
networks:
  default:
    ipam:
      config:
        - subnet: ${SUBNET}

volumes:
  mysql-db: ~
  mongo-db: ~

secrets:
  my_secret_data:
    file: secrets.txt