# =============================================================================
# Stack hitch + varnish — tests d'intégration ja4ebpf
#
# Architecture :
#   traffic-gen ─HTTPS→ hitch (TLS, port 443, PROXY protocol) ─HTTP→ varnish (port 6081)
#                                                                          ↓
#                                                              backend HTTP (port 8080)
#                          ↑
#                       ja4ebpf (uprobe hitch/libssl + hook TC)
#
# Hitch est un TLS offloader dédié : il ne fait QUE la terminaison TLS
# et transmet le trafic cleartext + PROXY protocol header à Varnish.
# Varnish lit le PROXY header pour récupérer l'IP réelle du client.
#
# Différence clé vs nginx+varnish :
#   - uprobe sur hitch (/usr/sbin/hitch ou libssl liée par hitch)
#   - PROXY protocol header permet à ja4ebpf de récupérer la vraie src_ip
#     même si le trafic L3 vient de hitch → varnish (127.0.0.1)
# =============================================================================

services:

  clickhouse:
    image: clickhouse/clickhouse-server:24.8
    hostname: clickhouse
    environment:
      CLICKHOUSE_DB: ja4_processing
      CLICKHOUSE_USER: default
      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
    volumes:
      - ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
      - ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
      - ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
      - ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
      - ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
      - ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
      - ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
      - ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
      - ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
      - ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
      - ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
      - ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
      - ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
      - ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
      - ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
      - ../platform/csv-stubs:/var/lib/clickhouse/user_files
    ports: ["9000:9000","8123:8123"]
    healthcheck:
      test: ["CMD","clickhouse-client","--query","SELECT 1"]
      interval: 5s
      timeout: 3s
      retries: 30
    networks: [ja4net]

  platform:
    build:
      context: ../../..
      dockerfile: tests/integration/hitch-varnish/platform/Dockerfile
      args:
        BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
    hostname: platform
    cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
    privileged: true
    environment:
      JA4EBPF_CH_ADDR: "clickhouse:9000"
    depends_on:
      clickhouse:
        condition: service_healthy
    ports: ["443:443","80:80"]
    healthcheck:
      # Hitch n'expose pas de port HTTP directement.
      # On passe par HTTPS (hitch → varnish → backend).
      test: ["CMD","curl","-sfk","https://localhost/health"]
      interval: 5s
      timeout: 3s
      retries: 30
    networks: [ja4net]

  traffic-gen:
    build:
      context: ../traffic-gen
    hostname: traffic-gen
    depends_on:
      platform:
        condition: service_healthy
    networks: [ja4net]

networks:
  ja4net:
    driver: bridge