services:
  repodructor:
    image: gitea.nucleoriofrio.com/nucleo000/repodructor:latest
    container_name: repodructor
    restart: unless-stopped
    volumes:
      # Mount music directory from server
      - /srv/repodructor/musica:/app/public/music:ro
    environment:
      - NODE_ENV=production
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=3000
    networks:
      - principal
    labels:
      # Habilitar Traefik
      - "traefik.enable=true"

      # ==========================================
      # Router público para recursos PWA (sin autenticación)
      # ==========================================
      - "traefik.http.routers.musica-nucleoriofrio-public.rule=Host(`musica.nucleoriofrio.com`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/assets`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/manifest.webmanifest`) || Path(`/manifest.json`) || Path(`/robots.txt`) || Path(`/favicon.ico`) || Path(`/logo.png`) || Path(`/logo-192.png`) || Path(`/logo-512.png`) || Path(`/logo-maskable-512.png`) || Path(`/icon.svg`))"
      - "traefik.http.routers.musica-nucleoriofrio-public.entrypoints=websecure"
      - "traefik.http.routers.musica-nucleoriofrio-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.musica-nucleoriofrio-public.priority=100"
      # Solo headers de seguridad y cache para assets PWA
      - "traefik.http.routers.musica-nucleoriofrio-public.middlewares=musica-pwa-headers"
      - "traefik.http.routers.musica-nucleoriofrio-public.service=musica-nucleoriofrio-service"

      # ==========================================
      # Router protegido para el resto de la app
      # ==========================================
      - "traefik.http.routers.musica-nucleoriofrio.rule=Host(`musica.nucleoriofrio.com`)"
      - "traefik.http.routers.musica-nucleoriofrio.entrypoints=websecure"
      - "traefik.http.routers.musica-nucleoriofrio.tls.certresolver=letsencrypt"
      - "traefik.http.routers.musica-nucleoriofrio.priority=50"
      # Middlewares (orden: auth -> headers -> body-size)
      - "traefik.http.routers.musica-nucleoriofrio.middlewares=authentik-forward-auth@file,musica-headers,musica-body-size"
      - "traefik.http.routers.musica-nucleoriofrio.service=musica-nucleoriofrio-service"

      # ==========================================
      # Middleware: Headers para assets PWA (sin cache agresivo)
      # ==========================================
      - "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      # Cache controlado por el Service Worker, no por Traefik
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.Cache-Control=public, max-age=0, must-revalidate"
      # Permitir CORS para PWA
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolallowmethods=GET,OPTIONS"
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolalloworiginlist=https://musica.nucleoriofrio.com"
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolmaxage=100"

      # ==========================================
      # Middleware: Headers personalizados para app protegida
      # ==========================================
      - "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      # Removed global cache header - let app control caching

      # ==========================================
      # Middleware: Tamaño máximo de body (100MB para subir archivos)
      # ==========================================
      - "traefik.http.middlewares.musica-body-size.buffering.maxrequestbodybytes=104857600"

      # ==========================================
      # Service
      # ==========================================
      - "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.server.port=3000"
      - "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.passhostheader=true"

networks:
  principal:
    external: true