HokmPlay/docker-compose.yml

# Barg-e Vasat — local/self-hosted stack.
# Ports live in the 1500–1600 range so this stack can run alongside a manual
# `npm run dev` (:3000) and `dotnet run` (:5005) without colliding.
#   web  → http://localhost:1500
#   api  → http://localhost:1505
#   db   → localhost:1510 (postgres)
# All values come from .env (the deploy job writes it from the ENV_FILE secret).

services:
  db:
    image: mirror.soroushasadi.com/postgres:16-alpine
    container_name: hokm-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: hokm
      POSTGRES_USER: hokm
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-hokm_dev_pass}
    volumes:
      - hokm_db_data:/var/lib/postgresql/data
    ports:
      - "${DB_PORT:-1510}:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U hokm -d hokm"]
      interval: 5s
      timeout: 5s
      retries: 10

  server:
    build:
      context: ./server
      dockerfile: Dockerfile
      args:
        # Plain-HTTP Nexus (no SSL) — the HTTPS mirror serves a partial cert chain
        # containers can't validate. Override via .env if needed.
        NUGET_INDEX: ${NUGET_INDEX:-http://171.22.25.73:8081/repository/nuget-group/index.json}
    image: hokm-server:latest
    container_name: hokm-server
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    environment:
      ASPNETCORE_ENVIRONMENT: Production
      ASPNETCORE_URLS: http://0.0.0.0:5005
      Database__Provider: postgres
      ConnectionStrings__Default: "Host=db;Port=5432;Database=hokm;Username=hokm;Password=${POSTGRES_PASSWORD:-hokm_dev_pass}"
      # Default empty so `docker compose build` (which interpolates the whole file)
      # never blocks on a runtime-only secret. The server REFUSES to boot in
      # Production with a missing/dev key (see Program.cs guard).
      Jwt__Key: ${JWT_KEY:-}
      Jwt__Issuer: ${JWT_ISSUER:-hokm}
      Jwt__Audience: ${JWT_AUDIENCE:-hokm-clients}
      # Comma-separated origins the browser uses to reach the web app.
      Cors__Origins: ${CORS_ORIGINS:-http://localhost:1500}
      Zarinpal__MerchantId: ${ZARINPAL_MERCHANT_ID:-299685fb-cadf-4dfc-98e2-d4af5d81528d}
      Zarinpal__Sandbox: ${ZARINPAL_SANDBOX:-false}
      Zarinpal__CallbackUrl: ${ZARINPAL_CALLBACK_URL:-http://localhost:1505/api/coins/pay/callback}
      Zarinpal__ClientReturnUrl: ${ZARINPAL_CLIENT_RETURN_URL:-http://localhost:1500}
      # FlatRender Pay broker (pay.flatrender.ir): shared ZarinPal via the single
      # verified domain. Set FLATPAY_API_KEY + FLATPAY_SECRET to route through it
      # (issued in FlatRender admin → پرداخت). Empty ⇒ legacy direct ZarinPal above.
      FlatPay__BaseUrl: ${FLATPAY_BASE_URL:-https://pay.flatrender.ir}
      FlatPay__ApiKey: ${FLATPAY_API_KEY:-}
      FlatPay__Secret: ${FLATPAY_SECRET:-}
      FlatPay__ReturnUrl: ${FLATPAY_RETURN_URL:-https://bargevasat.ir/?pay=done}
      # Store in-app billing verification (Cafe Bazaar / Myket) — fill from panels.
      Iab__PackageName: ${IAB_PACKAGE_NAME:-com.bargevasat.app}
      Iab__BazaarClientId: ${IAB_BAZAAR_CLIENT_ID:-}
      Iab__BazaarClientSecret: ${IAB_BAZAAR_CLIENT_SECRET:-}
      Iab__BazaarRefreshToken: ${IAB_BAZAAR_REFRESH_TOKEN:-}
      Iab__MyketAccessToken: ${IAB_MYKET_ACCESS_TOKEN:-}
      Iab__AllowUnverified: ${IAB_ALLOW_UNVERIFIED:-false}
      # SMS OTP (Kavenegar). Empty key ⇒ dev mode (no SMS, accepts the dev code).
      Sms__Provider: ${SMS_PROVIDER:-kavenegar}
      Sms__ApiKey: ${SMS_API_KEY:-}
      Sms__Template: ${SMS_TEMPLATE:-hokmotp}
      # Store-review test login (Google Play / Bazaar / Myket): this phone skips
      # SMS and always accepts the static code. Give these to the review team.
      Sms__TestPhone: ${SMS_TEST_PHONE:-09120000000}
      Sms__TestCode: ${SMS_TEST_CODE:-453115}
      # Admin panel (marketing-site links editor) — shared-token auth.
      Admin__Token: ${ADMIN_TOKEN:-}
      # Where the admin-editable site-links JSON is persisted (mounted volume).
      Site__DataDir: /data
    volumes:
      - hokm_data:/data
    ports:
      - "${API_PORT:-1505}:5005"
    healthcheck:
      test: ["CMD", "wget", "-q", "-O-", "http://127.0.0.1:5005/"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 20s

  web:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        # Baked into the static bundle at build time. Must be the address the
        # BROWSER uses to reach the API (host-mapped api port, or LAN IP).
        NEXT_PUBLIC_USE_SERVER: "1"
        NEXT_PUBLIC_SERVER_URL: ${NEXT_PUBLIC_SERVER_URL:-http://localhost:1505}
        # Plain-HTTP Nexus (no SSL). Override via .env if needed.
        NPM_REGISTRY: ${NPM_REGISTRY:-http://171.22.25.73:8081/repository/npm-group/}
    image: hokm-web:latest
    container_name: hokm-web
    restart: unless-stopped
    depends_on:
      server:
        condition: service_healthy
    ports:
      - "${WEB_PORT:-1500}:80"
    healthcheck:
      test: ["CMD", "wget", "-q", "-O-", "http://127.0.0.1/"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 10s

  # Marketing website (bargevasat.ir) — separate static Next.js project in ./site.
  site:
    build:
      context: ./site
      dockerfile: Dockerfile
      args:
        # Browser-facing API (for reading admin-editable store links) + game URL.
        NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_SERVER_URL:-http://localhost:1505}
        NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:1500}
        NEXT_PUBLIC_SITE_URL: ${NEXT_PUBLIC_SITE_URL:-http://localhost:1520}
        NPM_REGISTRY: ${NPM_REGISTRY:-http://171.22.25.73:8081/repository/npm-group/}
    image: hokm-site:latest
    container_name: hokm-site
    restart: unless-stopped
    ports:
      - "${SITE_PORT:-1520}:80"
    healthcheck:
      test: ["CMD", "wget", "-q", "-O-", "http://127.0.0.1/"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 10s

volumes:
  hokm_db_data:
  hokm_data: