# =============================================================================
# MPC-System Production Deployment - Standalone Server Party
# =============================================================================
# Purpose: Deploy a single server-party that connects to central Message Router
# This configuration is used for distributed deployment where parties run on
# different physical machines, possibly behind NAT.
#
# Usage:
#   # On each party machine:
#   PARTY_ID=server-party-1 ./deploy.sh party up
#   PARTY_ID=server-party-2 ./deploy.sh party up
#   PARTY_ID=server-party-3 ./deploy.sh party up
#
# Required Environment Variables:
#   PARTY_ID              - Unique party identifier (e.g., server-party-1)
#   MESSAGE_ROUTER_ADDR   - Public address of Message Router (e.g., grpc.mpc.example.com:50051)
#   CRYPTO_MASTER_KEY     - 64-character hex key for share encryption
#
# Architecture:
#   This Party (NAT OK) --[outbound gRPC]--> Message Router (Public Internet)
#
#   Note: Parties ONLY connect to Message Router. Session operations are
#   proxied through Message Router to Session Coordinator internally.
#
# NAT Traversal:
#   - Party initiates single outbound connection (no inbound ports needed)
#   - gRPC keepalive maintains connection through NAT
#   - Heartbeat every 30 seconds keeps connection alive
# =============================================================================

services:
  # ============================================
  # PostgreSQL for Party's Local Key Storage
  # ============================================
  postgres:
    image: postgres:15-alpine
    container_name: mpc-party-postgres-${PARTY_ID:-party}
    environment:
      TZ: Asia/Shanghai
      POSTGRES_DB: mpc_party
      POSTGRES_USER: ${POSTGRES_USER:-mpc_user}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
    volumes:
      - party-postgres-data:/var/lib/postgresql/data
      - ./migrations:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_party"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - party-network
    restart: unless-stopped

  # ============================================
  # Server Party - Connects to Central Services
  # ============================================
  server-party:
    build:
      context: .
      dockerfile: services/server-party/Dockerfile
    container_name: mpc-${PARTY_ID:-server-party}
    # No ports exposed - party connects outbound to Message Router
    # HTTP port is optional for local health checks
    ports:
      - "${PARTY_HTTP_PORT:-8080}:8080"  # Optional: local health check only
    environment:
      TZ: Asia/Shanghai
      # Party Identity
      PARTY_ID: ${PARTY_ID:?PARTY_ID must be set (e.g., server-party-1)}
      PARTY_ROLE: ${PARTY_ROLE:-persistent}

      # Server Configuration
      MPC_SERVER_GRPC_PORT: 50051
      MPC_SERVER_HTTP_PORT: 8080
      MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}

      # Local Database for Key Storage
      MPC_DATABASE_HOST: postgres
      MPC_DATABASE_PORT: 5432
      MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
      MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
      MPC_DATABASE_DBNAME: mpc_party
      MPC_DATABASE_SSLMODE: disable

      # Central Service (PUBLIC address - accessible from this party's location)
      # Parties ONLY connect to Message Router (session ops proxied internally)
      MESSAGE_ROUTER_ADDR: ${MESSAGE_ROUTER_ADDR:?MESSAGE_ROUTER_ADDR must be set (e.g., grpc.mpc.example.com:50051)}

      # Encryption Key for Key Shares
      MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:?CRYPTO_MASTER_KEY must be set (64 hex characters)}

      # Optional: Notification channels for offline mode
      NOTIFICATION_EMAIL: ${NOTIFICATION_EMAIL:-}
      NOTIFICATION_PHONE: ${NOTIFICATION_PHONE:-}
      NOTIFICATION_PUSH_TOKEN: ${NOTIFICATION_PUSH_TOKEN:-}
    depends_on:
      postgres:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - party-network
    restart: unless-stopped
    # Important: Allow container to resolve external DNS
    dns:
      - 8.8.8.8
      - 8.8.4.4

# ============================================
# Networks
# ============================================
networks:
  party-network:
    driver: bridge

# ============================================
# Volumes - Party's Local Key Storage
# IMPORTANT: Back up this volume! It contains encrypted key shares.
# ============================================
volumes:
  party-postgres-data:
    driver: local
    name: mpc-party-${PARTY_ID:-party}-postgres-data