services:
  gateway:
    image: liquidcode-tester-gateway:latest
    container_name: liquidcode-tester-gateway
    build:
      context: .
      dockerfile: src/LiquidCode.Tester.Gateway/Dockerfile
    ports:
      - "8080:8080"
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - Workers__Cpp=http://worker:8080
      - Workers__Java=http://worker:8080
      - Workers__Kotlin=http://worker:8080
      - Workers__CSharp=http://worker:8080
      - Workers__Python=http://worker:8080
    networks:
      - liquidcode-network
    depends_on:
      - worker
    # Security hardening for Gateway
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  worker:
    image: liquidcode-tester-worker:latest
    container_name: liquidcode-tester-worker
    build:
      context: .
      dockerfile: src/LiquidCode.Tester.Worker/Dockerfile
    ports:
      - "8081:8080"
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
    networks:
      - liquidcode-network
    # Security hardening for Worker
    security_opt:
      - no-new-privileges:true
      - apparmor=docker-default
    cap_drop:
      - ALL
    cap_add:
      - SYS_ADMIN  # Required for Isolate namespaces
      - SETUID     # Required for Isolate to change user context
      - SETGID     # Required for Isolate to change group context
    # Temporary filesystem for compilation and testing
    tmpfs:
      - /tmp:exec,size=4G
    # Resource limits to prevent DoS
    ulimits:
      nproc: 1024      # Max processes
      nofile: 2048     # Max open files

networks:
  liquidcode-network:
    driver: bridge