services:
  # System Monitoring
  netdata:
    image: netdata/netdata:latest
    container_name: netdata
    ports:
      - "7001:19999"
    volumes:
      - netdata_config:/etc/netdata
      - netdata_lib:/var/lib/netdata  
      - netdata_cache:/var/cache/netdata
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /:/host/root:ro,rslave
      - /etc/passwd:/host/etc/passwd:ro
      - /etc/group:/host/etc/group:ro
      - /etc/os-release:/host/etc/os-release:ro
    cap_add:
      - SYS_PTRACE
      - SYS_ADMIN
    security_opt:
      - apparmor:unconfined
    environment:
      - NETDATA_CLAIM_TOKEN=${NETDATA_CLAIM_TOKEN:-}
      - NETDATA_CLAIM_URL=https://app.netdata.cloud
    networks:
      - monitoring-net
    restart: unless-stopped

  # Container Management
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    ports:
      - "7002:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - portainer_data:/data
    networks:
      - monitoring-net
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true

  # Web-based SSH Terminal
  webssh:
    image: kuaifan/webssh:arm64
    container_name: webssh
    ports:
      - "7003:5032"
    environment:
      - TZ=${TZ:-UTC}
      # Restrict to internal network for security
      - WEBSSH_ORIGIN_LIST=*
      - WEBSSH_POLICY=reject
    networks:
      - monitoring-net
    restart: unless-stopped

  # Log Management (Optional but useful)
  dozzle:
    image: amir20/dozzle:latest
    container_name: dozzle
    ports:
      - "7004:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - monitoring-net
    restart: unless-stopped
    environment:
      - DOZZLE_NO_ANALYTICS=true

volumes:
  portainer_data:
  netdata_config:
  netdata_lib:
  netdata_cache:

networks:
  monitoring-net:
    driver: bridge