services:
  postgres:
    image: postgres:16-alpine
    container_name: mcpctl-postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
    volumes:
      - mcpctl-pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
      interval: 5s
      timeout: 5s
      retries: 5
    networks:
      - mcpctl

  mcpd:
    image: mysources.co.uk/michal/mcpd:latest
    container_name: mcpctl-mcpd
    restart: unless-stopped
    ports:
      - "${MCPD_PORT:-3100}:3100"
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
      MCPD_PORT: "3100"
      MCPD_HOST: "0.0.0.0"
      MCPD_LOG_LEVEL: ${MCPD_LOG_LEVEL:-info}
      MCPD_NODE_RUNNER_IMAGE: mysources.co.uk/michal/mcpctl-node-runner:latest
      MCPD_MCP_NETWORK: mcp-servers
    depends_on:
      postgres:
        condition: service_healthy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - mcpctl
      - mcp-servers
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider http://localhost:3100/healthz || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 15s

networks:
  mcpctl:
    driver: bridge
  mcp-servers:
    name: mcp-servers
    driver: bridge
    # Not internal — MCP servers need outbound access for external APIs.
    # Isolation enforced by not binding host ports on MCP containers.

volumes:
  mcpctl-pgdata: