services:
  mysql:
    image: mysql:8.0
    container_name: membership_mysql
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ${DATABASE_PASSWORD:-rootpassword}
      MYSQL_DATABASE: ${DATABASE_NAME:-membership_db}
      MYSQL_USER: ${DATABASE_USER:-membership_user}
      MYSQL_PASSWORD: ${DATABASE_PASSWORD:-change_this_password}
    # No external port exposure - database only accessible on private network
    expose:
      - "3306"
    volumes:
      - mysql_data:/var/lib/mysql
      - ./database/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
    networks:
      - membership_private
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 20s
      retries: 10

  backend:
    build:
      context: ./backend
      dockerfile: Dockerfile
    container_name: membership_backend
    restart: unless-stopped
    env_file:
      - .env
    ports:
      - "6000:8000"  # Only expose backend API to host
    volumes:
      - ./backend/app:/app/app
      - uploads_data:/app/uploads
    depends_on:
      mysql:
        condition: service_healthy
    networks:
      - membership_private  # Access to database on private network

  frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile
    container_name: membership_frontend
    restart: unless-stopped
    environment:
      - VITE_HOST_CHECK=false
    ports:
      - "3500:3000"  # Expose frontend to host
    volumes:
      - ./frontend/src:/app/src
      - ./frontend/public:/app/public
      - ./frontend/vite.config.ts:/app/vite.config.ts
    depends_on:
      - backend
    networks:
      - membership_private  # Access to backend on private network

networks:
  membership_private:
    driver: bridge
    internal: false  # Allow outbound internet access for backend
    # Database is not exposed to host - only accessible within this network

volumes:
  mysql_data:
  uploads_data: