services:
  db:
    image: mysql:8.4
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-rootpassword}
      MYSQL_DATABASE: ${MYSQL_DATABASE:-queuemed}
      MYSQL_USER: ${MYSQL_USER:-queuemed}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-queuemed}
    volumes:
      - mysql_data:/var/lib/mysql
    command:
      - --character-set-server=utf8mb4
      - --collation-server=utf8mb4_unicode_ci
    healthcheck:
      test:
        ["CMD", "mysqladmin", "ping", "-h", "127.0.0.1", "-u", "root", "-p${MYSQL_ROOT_PASSWORD:-rootpassword}"]
      interval: 10s
      timeout: 5s
      retries: 10
    networks:
      - queuemed

  app:
    build:
      context: .
      dockerfile: Dockerfile
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    environment:
      NODE_ENV: production
      PORT: 5000
      DATABASE_URL: mysql://${MYSQL_USER:-queuemed}:${MYSQL_PASSWORD:-queuemed}@db:3306/${MYSQL_DATABASE:-queuemed}
      # JWT_SECRET MUST be provided via .env.docker — there is no insecure fallback.
      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET must be set in .env.docker}
      PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-}
      WHATSAPP_SESSION_DIR: ${WHATSAPP_SESSION_DIR:-/app/data/whatsapp-sessions}
      # MySQL credentials available to scripts/backup-db.sh inside the container
      MYSQL_HOST: db
      MYSQL_DATABASE: ${MYSQL_DATABASE:-queuemed}
      MYSQL_USER: ${MYSQL_USER:-queuemed}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-queuemed}
    volumes:
      - app_data:/app/data
    ports:
      - "5100:5000"
    networks:
      - queuemed

networks:
  queuemed:
    driver: bridge

volumes:
  mysql_data:
    driver: local
  app_data:
    driver: local