# ==============================================
# Mosaic Stack - Hybrid Deployment Example
# ==============================================
# This example shows a hybrid deployment mixing bundled and external services.
# Common for staging environments: bundled database/cache, external auth/secrets.
#
# Usage:
#   1. Copy this file to docker-compose.override.yml
#   2. Set COMPOSE_PROFILES=database,cache,ollama in .env
#   3. Configure external service URLs in .env (see below)
#   4. Run: docker compose up -d
#
# Or run directly:
#   docker compose -f docker-compose.yml -f docker-compose.example.hybrid.yml up -d
#
# Services Included (Bundled):
#   - PostgreSQL 17 with pgvector
#   - Valkey (Redis-compatible cache)
#   - Ollama (local LLM)
#   - API (NestJS)
#   - Web (Next.js)
#   - Orchestrator (Agent management)
#
# Services Included (External):
#   - OpenBao/Vault (managed secrets)
#   - Authentik/OIDC (managed authentication)
#
# Environment Variables (.env):
#   COMPOSE_PROFILES=database,cache,ollama  # Enable only these bundled services
#   IMAGE_TAG=dev
#
#   # Bundled Database (default from docker-compose.yml)
#   DATABASE_URL=postgresql://mosaic:${POSTGRES_PASSWORD}@postgres:5432/mosaic
#
#   # Bundled Cache (default from docker-compose.yml)
#   VALKEY_URL=redis://valkey:6379
#
#   # Bundled Ollama (default from docker-compose.yml)
#   OLLAMA_ENDPOINT=http://ollama:11434
#
#   # External Secrets (OpenBao/Vault)
#   OPENBAO_ADDR=https://vault.example.com:8200
#   OPENBAO_ROLE_ID=your-role-id
#   OPENBAO_SECRET_ID=your-secret-id
#
#   # External OIDC Authentication
#   OIDC_ENABLED=true
#   OIDC_ISSUER=https://auth.example.com/
#   OIDC_CLIENT_ID=your-client-id
#   OIDC_CLIENT_SECRET=your-client-secret
#
# ==============================================

services:
  # Use bundled PostgreSQL and Valkey (enabled via database,cache profiles)
  # No overrides needed - profiles handle this

  # Disable bundled Authentik - use external OIDC
  authentik-postgres:
    profiles:
      - disabled

  authentik-redis:
    profiles:
      - disabled

  authentik-server:
    profiles:
      - disabled

  authentik-worker:
    profiles:
      - disabled

  # Disable bundled OpenBao - use external vault
  openbao:
    profiles:
      - disabled

  openbao-init:
    profiles:
      - disabled

  # Use bundled Ollama (enabled via ollama profile)
  # No override needed

  # Configure API for hybrid deployment
  api:
    environment:
      # Bundled database (default)
      DATABASE_URL: postgresql://${POSTGRES_USER:-mosaic}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-mosaic}

      # Bundled cache (default)
      VALKEY_URL: redis://valkey:6379

      # External secrets
      OPENBAO_ADDR: ${OPENBAO_ADDR}
      OPENBAO_ROLE_ID: ${OPENBAO_ROLE_ID}
      OPENBAO_SECRET_ID: ${OPENBAO_SECRET_ID}

      # Bundled Ollama (default)
      OLLAMA_ENDPOINT: http://ollama:11434

      # External OIDC
      OIDC_ENABLED: ${OIDC_ENABLED}
      OIDC_ISSUER: ${OIDC_ISSUER}
      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}

      # Security
      CSRF_SECRET: ${CSRF_SECRET}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY}

  # Web and Orchestrator use defaults from docker-compose.yml