# =============================================================================
# Stack nginx — tests d'intégration ja4ebpf
#
# Architecture :
#   traffic-gen ─HTTPS→ nginx (TLS, HTTP/1.1+h2) ─→ ClickHouse
#                          ↑
#                       ja4ebpf (uprobe nginx + hook TC)
#
# ja4ebpf attache ses uprobes directement sur /usr/sbin/nginx (qui lie OpenSSL).
# Le hook TC ingress capture les paquets TCP SYN + TLS ClientHello sur eth0.
# =============================================================================

services:

  clickhouse:
    image: clickhouse/clickhouse-server:24.8
    hostname: clickhouse
    environment:
      CLICKHOUSE_DB: ja4_processing
      CLICKHOUSE_USER: default
      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
    volumes:
      - ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
      - ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
      - ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
      - ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
      - ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
      - ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
      - ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
      - ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
      - ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
      - ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
      - ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
      - ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
      - ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
      - ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
      - ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
      - ../platform/csv-stubs:/var/lib/clickhouse/user_files
    ports: ["9000:9000","8123:8123"]
    healthcheck:
      test: ["CMD","clickhouse-client","--query","SELECT 1"]
      interval: 5s
      timeout: 3s
      retries: 30
    networks: [ja4net]

  platform:
    build:
      context: ../../..
      dockerfile: tests/integration/nginx/platform/Dockerfile
      args:
        BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
    hostname: platform
    # ja4ebpf nécessite CAP_BPF + CAP_NET_ADMIN pour charger eBPF
    # et CAP_SYS_PTRACE pour attacher les uprobes.
    cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
    privileged: true          # requis sur certains kernels pour bpf()
    environment:
      JA4EBPF_CH_ADDR: "clickhouse:9000"
    depends_on:
      clickhouse:
        condition: service_healthy
    ports: ["443:443","80:80"]
    healthcheck:
      test: ["CMD","curl","-sfk","https://localhost/health"]
      interval: 5s
      timeout: 3s
      retries: 30
    networks: [ja4net]

  traffic-gen:
    build:
      context: ../traffic-gen
    hostname: traffic-gen
    depends_on:
      platform:
        condition: service_healthy
    networks: [ja4net]

networks:
  ja4net:
    driver: bridge