# Dokploy app: projax
#
# Apply via Dokploy UI on mlake, or as a reference for the manual setup.
# Public over HTTPS with Let's Encrypt; auth is enforced at the application
# layer via Supabase JWT cookies set by projax's own /login (host-scoped,
# no Domain attribute). Single replica, single tenant (m).
#
# Environment expected (set via Dokploy secrets, NEVER commit):
#   PROJAX_DB_URL        postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable
#   PROJAX_LISTEN_ADDR   :8080  (default; Dokploy maps to public port)
#   PROJAX_AUTO_MIGRATE  on    (default; set "off" to bypass embedded migrations on boot)
#
# README §"Deploy / 0. Manual prerequisite" documents the one-time CREATE ROLE
# projax_admin + cross-schema grants + RLS policy on mai.projects. The
# migrations themselves are credential-free.

name: projax
service: projax
image:
  build:
    context: .
    dockerfile: Dockerfile
domain:
  host: projax.msbls.de
  port: 8080
  https: true
healthcheck:
  path: /healthz
  interval: 30s
  timeout: 3s
  retries: 3
resources:
  cpu: 250m
  memory: 128Mi
replicas: 1
restart: unless-stopped
env:
  - PROJAX_LISTEN_ADDR=:8080
  - PROJAX_AUTO_MIGRATE=on
  - SUPABASE_URL=https://supa.flexsiebels.de
  - DAV_URL=https://dav.msbls.de/dav/calendars/m/
  - GITEA_URL=https://mgit.msbls.de
secrets:
  - PROJAX_DB_URL
  - SUPABASE_ANON_KEY
  - DAV_USER
  - DAV_PASSWORD
  - GITEA_TOKEN       # = GITEA_TOKEN_AI from .env.age (mAi automation account)
  - PROJAX_MCP_TOKEN  # 32-char Bearer secret for /mcp/rpc; missing → MCP off cleanly