version: '3.8'

services:
  jenkins:
    image: jenkins/jenkins:lts
    container_name: jenkins-server
    restart: unless-stopped
    
    ports:
      - "11001:8080"
    
    volumes:
      # Jenkins home directory for persistence
      - /home/localuser/KNELDevStack-CDS/docker-data/jenkins:/var/jenkins_home
      # SSH private keys for connecting to remote systems (read-only for security)
      - /home/localuser/KNELDevStack-CDS/docker-data/jenkins/ssh-private-keys:/var/jenkins_home/.ssh:ro
      # Admin password file (accessible at /run/secrets/jenkins-admin-pw inside container)
      - /home/localuser/KNELDevStack-CDS/docker-data/jenkins/secrets:/run/secrets:ro
    
    environment:
      # Set Java options for performance (setup wizard enabled for initial admin setup)
      - JAVA_OPTS=-Xmx1g -Xms512m
    
    # Resource limits for small instance
    deploy:
      resources:
        limits:
          memory: 1.5G
          cpus: '1.0'
        reservations:
          memory: 512M
          cpus: '0.5'
    
    # Health check
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:8080/login || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    
    # Security options
    security_opt:
      - no-new-privileges:true
    
    # User configuration (run as jenkins user inside container)
    user: "1000:1000"

networks:
  default:
    name: jenkins-network