version: "3.8"

networks:
  iklimco-net:
    external: true

volumes:
  postgresql_data:
  mongodb_data:

services:
  postgresql:
    image: {{ db_postgres_image }}
    environment:
      POSTGRES_USER: "{{ db_postgres_root_user }}"
      POSTGRES_PASSWORD: "{{ db_postgres_password }}"
      POSTGRES_DB: postgres
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgresql_data:/var/lib/postgresql/data
    networks:
      - iklimco-net
    deploy:
      placement:
        constraints:
          - node.labels.role == db

  mongodb:
    image: {{ db_mongo_image }}
    environment:
      MONGO_INITDB_ROOT_USERNAME: "{{ db_mongo_root_user }}"
      MONGO_INITDB_ROOT_PASSWORD: "{{ db_mongo_root_password }}"
    volumes:
      - mongodb_data:/data/db
      - /opt/iklimco/db/mongodb/config/mongod.conf:/etc/mongod.conf
    command: ["--config", "/etc/mongod.conf"]
    networks:
      - iklimco-net
    deploy:
      placement:
        constraints:
          - node.labels.role == db

  # WireGuard üzerinden DB manager erişimi için köprü servisler.
  # Host portları firewalld ile sadece WireGuard subnet'ine (10.8.0.0/24) açılır.
  pg-proxy:
    image: alpine/socat:latest
    command: TCP-LISTEN:5432,fork,reuseaddr TCP:postgresql:5432
    ports:
      - target: 5432
        published: 15432
        protocol: tcp
        mode: host
    networks:
      - iklimco-net
    deploy:
      placement:
        constraints:
          - node.labels.role == db
      restart_policy:
        condition: on-failure
        delay: 5s

  mongo-proxy:
    image: alpine/socat:latest
    command: TCP-LISTEN:27017,fork,reuseaddr TCP:mongodb:27017
    ports:
      - target: 27017
        published: 17017
        protocol: tcp
        mode: host
    networks:
      - iklimco-net
    deploy:
      placement:
        constraints:
          - node.labels.role == db
      restart_policy:
        condition: on-failure
        delay: 5s