app:
  id: indeedhub-api
  name: IndeedHub API
  version: "1.0.0"
  description: IndeedHub backend API (Nostr auth, media, payments).
  category: community

  # Hyphen name matches runtime references + the live container (adoption);
  # alias `api` is the short hostname the frontend nginx proxies to
  # (http://api:4000). Reaches its backends by their short aliases
  # (postgres/redis/minio) on indeedhub-net — unchanged from the legacy installer.
  container_name: indeedhub-api

  container:
    image: 146.59.87.168:3000/lfg2025/indeedhub-api:1.0.0
    pull_policy: if-not-present
    network: indeedhub-net
    network_aliases: [api]
    # The JWT signing secret is owned here (no backend container owns it); the
    # db + minio passwords are owned by indeedhub-postgres / indeedhub-minio and
    # only consumed here. ensure_generated_secrets no-ops when a file already
    # exists, so live values on .228 are preserved (postgres pw is fixed at
    # PGDATA init — regenerating would lock the API out).
    generated_secrets:
      - name: indeedhub-jwt
        kind: hex32
    secret_env:
      - key: DATABASE_PASSWORD
        secret_file: indeedhub-db-password
      - key: AWS_SECRET_KEY
        secret_file: indeedhub-minio-password
      - key: NOSTR_JWT_SECRET
        secret_file: indeedhub-jwt

  dependencies:
    - app_id: indeedhub-postgres
    - app_id: indeedhub-redis
    - app_id: indeedhub-minio

  resources:
    memory_limit: 2Gi

  security:
    capabilities: []
    readonly_root: false
    network_policy: isolated

  ports: []

  volumes: []

  environment:
    - PORT=4000
    - DATABASE_HOST=postgres
    - DATABASE_PORT=5432
    - DATABASE_USER=indeedhub
    - DATABASE_NAME=indeedhub
    - QUEUE_HOST=redis
    - QUEUE_PORT=6379
    - S3_ENDPOINT=http://minio:9000
    - AWS_REGION=us-east-1
    - AWS_ACCESS_KEY=indeeadmin
    - S3_PUBLIC_BUCKET_NAME=indeedhub-public
    - S3_PRIVATE_BUCKET_NAME=indeedhub-private
    - S3_PUBLIC_BUCKET_URL=/storage
    - NOSTR_JWT_EXPIRES_IN=7d
    # Fixed across the fleet (envelope-encryption master key baked by the legacy
    # installer); not node-specific, so a plain env literal, not a secret.
    - AES_MASTER_SECRET=0123456789abcdef0123456789abcdef
    - ENVIRONMENT=production

  health_check:
    type: tcp
    endpoint: localhost:4000
    interval: 30s
    timeout: 5s
    retries: 10