services:
  archnest:
    build: .
    image: archnest:latest
    container_name: archnest
    restart: unless-stopped
    ports:
      - "8080:8080"
    depends_on:
      - archnest-backend

  archnest-backend:
    build: ./backend
    image: archnest-backend:latest
    container_name: archnest-backend
    restart: unless-stopped
    environment:
      - PORT=4000
      - ARCHNEST_DB_PATH=/data/archnest.db
      - ARCHNEST_JWT_SECRET=${ARCHNEST_JWT_SECRET}
      - ARCHNEST_SECRET_KEY=${ARCHNEST_SECRET_KEY}
      - ARCHNEST_CORS_ORIGIN=${ARCHNEST_CORS_ORIGIN:-https://archnest.snsnetlabs.com}
      # Remote Desktop (RDP/VNC/Telnet via Guacamole). The crypt key must be exactly
      # 32 bytes (AES-256-CBC); guacd runs as the sidecar service below.
      - ARCHNEST_GUAC_CRYPT_KEY=${ARCHNEST_GUAC_CRYPT_KEY}
      - ARCHNEST_GUACD_HOST=guacd
      - ARCHNEST_GUACD_PORT=4822
    volumes:
      - archnest-data:/data
    ports:
      - "4000:4000"
    depends_on:
      - guacd

  # guacd is the Guacamole proxy daemon that actually speaks RDP/VNC/Telnet to
  # target hosts; the backend's /api/guacamole websocket route connects to it.
  guacd:
    image: guacamole/guacd:1.5.5
    container_name: archnest-guacd
    restart: unless-stopped
    # No published port: only the backend (same compose network) needs to reach
    # it on 4822. Exposed internally via the service name "guacd".

volumes:
  archnest-data: