services:
  keydb:
    image: eqalpha/keydb
    container_name: cryptowallet-keydb
    restart: unless-stopped
    expose:
      - "6379"
    volumes:
      - keydb_data:/data
    command:
      - keydb-server
      - --requirepass
      - ${REDIS_PASSWORD}
      - --dir
      - /data
      - --appendonly
      - "yes"
      - --appendfsync
      - everysec
      - --save
      - "900"
      - "1"
      - --save
      - "300"
      - "10"
      - --save
      - "60"
      - "10000"
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
      interval: 5s
      timeout: 2s
      retries: 20

  api:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: cryptowallet-api
    restart: unless-stopped
    depends_on:
      keydb:
        condition: service_healthy
    # Production: port открыт на all interfaces. TLS/WAF обязательно на reverse proxy.
    ports:
      - "3001:3001"
    env_file:
      - .env
    environment:
      API_PORT: "3001"
    # Container hardening — post-RCE blast radius minimization.
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    pids_limit: 256
    mem_limit: 512m
    cpus: "1.0"
    healthcheck:
      test: ["CMD", "wget", "-qO-", "--tries=1", "--timeout=3", "http://localhost:3001/api/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 15s
    logging:
      driver: json-file
      options:
        max-size: "20m"
        max-file: "5"

volumes:
  keydb_data: