version: '3.8'

services:
  web:
    build: .
    image: sneakyscanner:latest
    container_name: sneakyscanner-web
    # Use entrypoint script that auto-initializes database on first run
    entrypoint: ["/docker-entrypoint.sh"]
    command: ["python3", "-u", "-m", "web.app"]
    # Note: Using host network mode for scanner capabilities, so no port mapping needed
    # The Flask app will be accessible at http://localhost:5000
    volumes:
      # Mount configs directory for scan configurations (read-write for web UI management)
      - ./configs:/app/configs
      # Mount output directory for scan results
      - ./output:/app/output
      # Mount database file for persistence
      - ./data:/app/data
      # Mount logs directory
      - ./logs:/app/logs
    environment:
      # Flask configuration
      - FLASK_APP=web.app
      - FLASK_ENV=${FLASK_ENV:-production}
      - FLASK_DEBUG=${FLASK_DEBUG:-false}
      - FLASK_HOST=0.0.0.0
      - FLASK_PORT=5000
      # Database configuration (SQLite in mounted volume for persistence)
      - DATABASE_URL=sqlite:////app/data/sneakyscanner.db
      # Initial password for first run (leave empty to auto-generate)
      - INITIAL_PASSWORD=${INITIAL_PASSWORD:-}
      # Security settings
      # IMPORTANT: Set these in .env file or the application will fail to start!
      - SECRET_KEY=${SECRET_KEY:-dev-secret-key-change-in-production}
      - SNEAKYSCANNER_ENCRYPTION_KEY=${SNEAKYSCANNER_ENCRYPTION_KEY:-}
      # Optional: CORS origins (comma-separated)
      - CORS_ORIGINS=${CORS_ORIGINS:-*}
      # Optional: Logging level
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      # Scheduler configuration (APScheduler)
      - SCHEDULER_EXECUTORS=${SCHEDULER_EXECUTORS:-2}
      - SCHEDULER_JOB_DEFAULTS_MAX_INSTANCES=${SCHEDULER_JOB_DEFAULTS_MAX_INSTANCES:-3}
    # Scanner functionality requires privileged mode and host network for masscan/nmap
    privileged: true
    network_mode: host
    # Health check to ensure web service is running
    healthcheck:
      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5000/api/settings/health').read()"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 40s
    restart: unless-stopped

  # Optional: Initialize database on first run
  # Run with: docker-compose -f docker-compose-web.yml run --rm init-db
  init-db:
    build: .
    image: sneakyscanner:latest
    container_name: sneakyscanner-init-db
    entrypoint: ["python3"]
    command: ["init_db.py", "--db-url", "sqlite:////app/data/sneakyscanner.db"]
    volumes:
      - ./data:/app/data
    profiles:
      - tools