services:
  postgres:
    image: pgvector/pgvector:pg18
    environment:
      POSTGRES_DB: nivq
      POSTGRES_USER: nivq
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env — any strong value}
    volumes:
      - nivq-pg:/var/lib/postgresql
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U nivq"]
      interval: 5s
      retries: 10

  redis:
    image: redis:7-alpine
    volumes:
      - nivq-redis:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 5s
      retries: 10

  nivq:
    image: ghcr.io/nivorbit/images/nivq:0.2.6
    depends_on:
      postgres: { condition: service_healthy }
      redis: { condition: service_healthy }
    env_file: .env          # reads settings from here — see the example below
    environment:
      # Reuses POSTGRES_PASSWORD above — one password to set, not two.
      NIVQ_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
      # Required values fail fast with a clear message instead of a crash-loop
      # when .env still has blanks. Fill them in .env, not here.
      NIVQ_ENCRYPTION_KEY_V1: ${NIVQ_ENCRYPTION_KEY_V1:?Set NIVQ_ENCRYPTION_KEY_V1 in .env — generate with openssl rand -base64 32}
      NIVQ_PLATFORM_LLM_API_KEY: ${NIVQ_PLATFORM_LLM_API_KEY:?Set NIVQ_PLATFORM_LLM_API_KEY in .env — your LLM provider API key}
      NIVQ_BOOTSTRAP_ADMIN_PASSWORD: ${NIVQ_BOOTSTRAP_ADMIN_PASSWORD:?Set NIVQ_BOOTSTRAP_ADMIN_PASSWORD in .env — first-run admin password}
    ports:
      - "8080:8080"
    restart: unless-stopped

  # The browser UI. A static app pointed at the API; see Web client for details.
  nivq-web:
    image: ghcr.io/nivorbit/images/nivq-web:0.2.8
    depends_on: [nivq]
    environment:
      # The API URL as reached from the browser (must match BACKEND_URL).
      NIVQ_API_BASE_URL: http://localhost:8080
    ports:
      - "3000:8080"          # serve the UI at FRONTEND_URL (http://localhost:3000)
    restart: unless-stopped

volumes:
  nivq-pg:
  nivq-redis: