services:
  mkcert-web-ui:
    image: jeffcaldwellca/mkcertweb:3.1.2
    ports:
      - "3000:3000"    # HTTP port
      - "3443:3443"    # HTTPS port
    environment:
      # Server Configuration
      - PORT=3000
      - HTTPS_PORT=3443
      - HOST=0.0.0.0
      
      # SSL/HTTPS Configuration
      - ENABLE_HTTPS=false
      - SSL_DOMAIN=localhost
      - FORCE_HTTPS=false
      
      # Application Configuration
      - NODE_ENV=production
      - DEFAULT_THEME=dark
      
      # Authentication Configuration (disabled by default)
      - ENABLE_AUTH=false
      - AUTH_USERNAME=admin
      - AUTH_PASSWORD=admin
      - SESSION_SECRET=mkcert-web-ui-secret-key-change-in-production
      
      # Rate Limiting Configuration
      - CLI_RATE_LIMIT_WINDOW=900000   # CLI operations window (15 minutes)
      - CLI_RATE_LIMIT_MAX=10          # Max CLI operations per window
      - API_RATE_LIMIT_WINDOW=900000   # API requests window (15 minutes)  
      - API_RATE_LIMIT_MAX=100         # Max API requests per window
      - AUTH_RATE_LIMIT_WINDOW=900000  # Auth attempts window (15 minutes)
      - AUTH_RATE_LIMIT_MAX=5          # Max auth attempts per window
      
      # OpenID Connect (OIDC) SSO Configuration
      # - ENABLE_OIDC=false
      # - OIDC_ISSUER=
      # - OIDC_CLIENT_ID=
      # - OIDC_CLIENT_SECRET=
      # - OIDC_CALLBACK_URL=
      # - OIDC_SCOPE=openid profile email
    volumes:
      # Persist certificates and data
      - mkcert_certificates:/app/certificates
      - mkcert_data:/app/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

volumes:
  mkcert_certificates:
    driver: local
  mkcert_data:
    driver: local