services:
  web:
    build: .
    expose:
      - "8080"
    environment:
      - PORT=8080
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
      - SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY:-}
      - GITEA_TOKEN=${GITEA_TOKEN}
      - DATABASE_URL=${DATABASE_URL}
      - CALDAV_ENCRYPTION_KEY=${CALDAV_ENCRYPTION_KEY}
      - ALLOWED_EMAIL_DOMAINS=${ALLOWED_EMAIL_DOMAINS}
      - PALIAD_BASE_URL=${PALIAD_BASE_URL}
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - SMTP_FROM=${SMTP_FROM}
      - SMTP_FROM_NAME=${SMTP_FROM_NAME}
      - SMTP_USE_TLS=${SMTP_USE_TLS}
      # Paliadin remote routing (t-paliad-151). When PALIADIN_REMOTE_HOST
      # is set, paliad forwards each turn to mRiver via SSH on port 22022.
      # The container reaches mRiver over Tailscale via mLake's host-side
      # tailscale0 + Docker source NAT — no network_mode override needed
      # (verified Phase A.5: a plain alpine container on Dokploy's
      # default bridge SSHs to mriver:22022 in 3 s, source IP NAT'd to
      # mLake's tailnet IP, matches the from="100.99.98.201" clause on
      # mRiver's authorized_keys).
      # PRIVATE_KEY and KNOWN_HOSTS are multi-line Dokploy secrets.
      - PALIADIN_REMOTE_HOST=${PALIADIN_REMOTE_HOST}
      - PALIADIN_REMOTE_PORT=${PALIADIN_REMOTE_PORT}
      - PALIADIN_REMOTE_USER=${PALIADIN_REMOTE_USER}
      - PALIADIN_SSH_PRIVATE_KEY=${PALIADIN_SSH_PRIVATE_KEY}
      - PALIADIN_KNOWN_HOSTS=${PALIADIN_KNOWN_HOSTS}
      # aichat Phase B (t-paliad-194 / m/paliad#38). Set PALIADIN_BACKEND=aichat
      # to route Paliadin through the centralized aichat backend on mRiver.
      # Legacy default (unset / "legacy") keeps the existing RemotePaliadinService path.
      - PALIADIN_BACKEND=${PALIADIN_BACKEND:-legacy}
      - AICHAT_URL=${AICHAT_URL:-}
      - AICHAT_TOKEN=${AICHAT_TOKEN:-}
      - AICHAT_PERSONA=${AICHAT_PERSONA:-paliadin}
      # Backup Mode (m/paliad#77 Slice A). Local-disk export target; the
      # paliad_exports named volume below persists it across container
      # restarts. Unset → /admin/backups returns 503 (BackupService gate).
      - PALIAD_EXPORT_DIR=${PALIAD_EXPORT_DIR:-/var/lib/paliad/exports}
      # - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}  # Phase H (AI Frist-Extraktion), currently deferred
    volumes:
      - paliad_exports:/var/lib/paliad/exports
    restart: unless-stopped

volumes:
  paliad_exports: