Charon/.docker/compose/docker-compose.playwright-ci.yml

# Playwright E2E Test Environment for CI/CD
# ==========================================
# This configuration is specifically designed for GitHub Actions CI/CD pipelines.
# Environment variables are provided via GitHub Secrets and generated dynamically.
#
# DO NOT USE env_file - CI provides variables via $GITHUB_ENV:
#   - CHARON_ENCRYPTION_KEY: Generated with openssl rand -base64 32 (ephemeral)
#   - CHARON_EMERGENCY_TOKEN: From repository secrets (secure)
#
# Usage in CI:
#   export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
#   export CHARON_EMERGENCY_TOKEN="${{ secrets.CHARON_EMERGENCY_TOKEN }}"
#   docker compose -f .docker/compose/docker-compose.playwright-ci.yml up -d
#
# Profiles:
#   # Start with security testing services (CrowdSec)
#   docker compose -f .docker/compose/docker-compose.playwright-ci.yml --profile security-tests up -d
#
#   # Start with notification testing services (MailHog)
#   docker compose -f .docker/compose/docker-compose.playwright-ci.yml --profile notification-tests up -d
#
# The setup API will be available since no users exist in the fresh database.
# The auth.setup.ts fixture will create a test admin user automatically.

services:
  # =============================================================================
  # Charon Application - Core E2E Testing Service
  # =============================================================================
  charon-app:
    # CI provides CHARON_E2E_IMAGE_TAG=charon:e2e-test (retagged from shared digest)
    # Local development uses the default fallback value
    image: ${CHARON_E2E_IMAGE_TAG:-charon:e2e-test}
    container_name: charon-playwright
    restart: "no"
    # CI generates CHARON_ENCRYPTION_KEY dynamically in GitHub Actions workflow
    # and passes CHARON_EMERGENCY_TOKEN from GitHub Secrets via $GITHUB_ENV.
    # No .env file is used in CI as it's gitignored and not available.
    ports:
      - "8080:8080"            # Management UI (Charon)
      - "127.0.0.1:2019:2019" # Caddy admin API (IPv4 loopback)
      - "[::1]:2019:2019"     # Caddy admin API (IPv6 loopback)
      - "2020:2020"           # Emergency tier-2 API (all interfaces for E2E tests)
      - "80:80"               # Caddy proxy (all interfaces for E2E tests)
      - "443:443"             # Caddy proxy HTTPS (all interfaces for E2E tests)
    environment:
      # Core configuration
      - CHARON_ENV=test
      - CHARON_DEBUG=0
      - TZ=UTC
      # E2E testing encryption key - 32 bytes base64 encoded (not for production!)
      # Encryption key - MUST be provided via environment variable
      # Generate with: export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
      - CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY:?CHARON_ENCRYPTION_KEY is required}
      # Emergency reset token - for break-glass recovery when locked out by ACL
      # Generate with: openssl rand -hex 32
      - CHARON_EMERGENCY_TOKEN=${CHARON_EMERGENCY_TOKEN:-test-emergency-token-for-e2e-32chars}
      - CHARON_EMERGENCY_SERVER_ENABLED=true
      - CHARON_SECURITY_TESTS_ENABLED=${CHARON_SECURITY_TESTS_ENABLED:-true}
      # Emergency server must bind to 0.0.0.0 for Docker port mapping to work
      # Host binding via compose restricts external access (127.0.0.1:2020:2020)
      - CHARON_EMERGENCY_BIND=0.0.0.0:2020
      # Emergency server Basic Auth (required for E2E tests)
      - CHARON_EMERGENCY_USERNAME=admin
      - CHARON_EMERGENCY_PASSWORD=changeme
      # Server settings
      - CHARON_HTTP_PORT=8080
      - CHARON_DB_PATH=/app/data/charon.db
      - CHARON_FRONTEND_DIR=/app/frontend/dist
      # Caddy settings
      - CHARON_CADDY_ADMIN_API=http://localhost:2019
      - CHARON_CADDY_CONFIG_DIR=/app/data/caddy
      - CHARON_CADDY_BINARY=caddy
      # ACME settings (staging for E2E tests)
      - CHARON_ACME_STAGING=true
      # Security features - disabled by default for faster tests
      # Enable via profile: --profile security-tests
      # FEATURE_CERBERUS_ENABLED deprecated - Cerberus enabled by default
      - CHARON_SECURITY_CROWDSEC_MODE=disabled
      # SMTP for notification tests (connects to MailHog when profile enabled)
      - CHARON_SMTP_HOST=mailhog
      - CHARON_SMTP_PORT=1025
      - CHARON_SMTP_AUTH=false
    volumes:
      # Named volume for test data persistence during test runs
      - playwright_data:/app/data
      - playwright_caddy_data:/data
      - playwright_caddy_config:/config
      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
      interval: 5s
      timeout: 3s
      retries: 12
      start_period: 10s
    networks:
      - playwright-network

  # =============================================================================
  # CrowdSec - Security Testing Service (Optional Profile)
  # =============================================================================
  crowdsec:
    image: crowdsecurity/crowdsec:latest@sha256:63b595fef92de1778573b375897a45dd226637ee9a3d3db9f57ac7355c369493
    container_name: charon-playwright-crowdsec
    profiles:
      - security-tests
    restart: "no"
    environment:
      - COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve
      - BOUNCER_KEY_charon=test-bouncer-key-for-e2e
      # Disable online features for isolated testing
      - DISABLE_ONLINE_API=true
    volumes:
      - playwright_crowdsec_data:/var/lib/crowdsec/data
      - playwright_crowdsec_config:/etc/crowdsec
      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
      test: ["CMD", "cscli", "version"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - playwright-network

  # =============================================================================
  # MailHog - Email Testing Service (Optional Profile)
  # =============================================================================
  mailhog:
    image: mailhog/mailhog:latest@sha256:8d76a3d4ffa32a3661311944007a415332c4bb855657f4f6c57996405c009bea
    container_name: charon-playwright-mailhog
    profiles:
      - notification-tests
    restart: "no"
    ports:
      - "1025:1025"    # SMTP server
      - "8025:8025"    # Web UI for viewing emails
    networks:
      - playwright-network

# =============================================================================
# Named Volumes
# =============================================================================
volumes:
  playwright_data:
    driver: local
  playwright_caddy_data:
    driver: local
  playwright_caddy_config:
    driver: local
  playwright_crowdsec_data:
    driver: local
  playwright_crowdsec_config:
    driver: local

# =============================================================================
# Networks
# =============================================================================
networks:
  playwright-network:
    driver: bridge