services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    container_name: certifai-keycloak
    environment:
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
      KC_DB: dev-mem
      KC_HEALTH_ENABLED: "true"
    ports:
      - "8080:8080"
    command:
      - start-dev
      - --import-realm
    volumes:
      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
      - ./keycloak/themes/certifai:/opt/keycloak/themes/certifai:ro
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /realms/master HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && head -1 <&3 | grep -q '200 OK'"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s

  mongo:
    image: mongo:latest
    restart: unless-stopped
    ports:
      - 27017:27017
    environment:
      MONGO_INITDB_ROOT_USERNAME: root
      MONGO_INITDB_ROOT_PASSWORD: example

  searxng:
    image: searxng/searxng:latest
    container_name: certifai-searxng
    restart: unless-stopped
    ports:
      - "8888:8080"
    environment:
      - SEARXNG_BASE_URL=http://localhost:8888
    volumes:
      - ./searxng:/etc/searxng:rw

  librechat:
    image: ghcr.io/danny-avila/librechat:latest
    container_name: certifai-librechat
    restart: unless-stopped
    # Use host networking so localhost:8080 (Keycloak) is reachable for
    # OIDC discovery, and the browser redirect URLs match the issuer.
    network_mode: host
    depends_on:
      keycloak:
        condition: service_healthy
      mongo:
        condition: service_started
    environment:
      # MongoDB (use localhost since we're on host network)
      MONGO_URI: mongodb://root:example@localhost:27017/librechat?authSource=admin
      DOMAIN_CLIENT: http://localhost:3080
      DOMAIN_SERVER: http://localhost:3080
      # Allow HTTP for local dev OIDC (Keycloak on localhost without TLS)
      NODE_TLS_REJECT_UNAUTHORIZED: "0"
      NODE_ENV: development
      # Keycloak OIDC SSO
      OPENID_ISSUER: http://localhost:8080/realms/certifai
      OPENID_CLIENT_ID: certifai-librechat
      OPENID_CLIENT_SECRET: certifai-librechat-secret
      OPENID_SESSION_SECRET: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6"
      OPENID_CALLBACK_URL: /oauth/openid/callback
      OPENID_SCOPE: openid profile email
      OPENID_BUTTON_LABEL: Login with CERTifAI
      OPENID_AUTH_EXTRA_PARAMS: prompt=none
      # Disable local auth (SSO only)
      ALLOW_EMAIL_LOGIN: "false"
      ALLOW_REGISTRATION: "false"
      ALLOW_SOCIAL_LOGIN: "true"
      ALLOW_SOCIAL_REGISTRATION: "true"
      # JWT / encryption secrets (required by LibreChat)
      CREDS_KEY: "97e95d72cdda06774a264f9fb7768097a6815dc1e930898d2e39c9a3a253b157"
      CREDS_IV: "2ea456ab25279089b0ff9e7aca1df6e6"
      JWT_SECRET: "767b962176666eab56e180e6f2d3fe95145dc6b978e37d4eb8d1da5421c5fb26"
      JWT_REFRESH_SECRET: "51a43a1fca4b7b501b37e226a638645d962066e0686b82248921f3160e96501e"
      # App settings
      APP_TITLE: CERTifAI Chat
      CUSTOM_FOOTER: CERTifAI - Sovereign GenAI Infrastructure
      HOST: 0.0.0.0
      PORT: "3080"
      NO_INDEX: "true"
    volumes:
      - ./librechat/librechat.yaml:/app/librechat.yaml:ro
      - ./librechat/logo.svg:/app/client/public/assets/logo.svg:ro
      # Patch: allow HTTP issuer for local dev (openid-client v6 enforces HTTPS)
      - ./librechat/openidStrategy.js:/app/api/strategies/openidStrategy.js:ro
      - librechat-data:/app/data

volumes:
  librechat-data: