version: '3.8'

services:
  # Keycloak pour OIDC (optionnel, pour développement)
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_DB: h2
      KC_HTTP_ENABLED: 'true'
      KC_HTTP_PORT: 8080
    ports:
      - "8080:8080"
    command:
      - start-dev

  # Secure Proxy
  secure-proxy:
    build: .
    ports:
      - "3000:3000"
    environment:
      NODE_ENV: development
      PORT: 3000
      PROXY_URL: http://localhost:3000
      OIDC_ISSUER: http://keycloak:8080/auth/realms/master
      OIDC_CLIENT_ID: openidv2-client
      OIDC_CLIENT_SECRET: your_secret_here
      OIDC_CALLBACK_URL: http://localhost:3000/callback
      ADMIN_USERNAME: admin@example.com
      SESSION_SECRET: dev-secret-change-in-production
      DB_PATH: /app/db/services.db
    depends_on:
      - keycloak
    volumes:
      - ./db:/app/db
      - ./sessions:/app/sessions
    networks:
      - secure-network

  # Exemple de service local à proxifier
  sample-service:
    image: nginx:alpine
    ports:
      - "8888:80"
    networks:
      - secure-network
    volumes:
      - ./docs:/usr/share/nginx/html

networks:
  secure-network:
    driver: bridge