RepoDructor/docker-compose.yml

services:
  repodructor:
    image: gitea.nucleoriofrio.com/nucleo000/repodructor:latest
    container_name: repodructor
    restart: unless-stopped
    volumes:
      # Mount music directory from server
      - /srv/repodructor/musica:/app/public/music:ro
    environment:
      - NODE_ENV=production
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=3000
    networks:
      - principal
    labels:
      # Habilitar Traefik
      - "traefik.enable=true"

      # ==========================================
      # Router público para recursos PWA ESTÁTICOS (sin autenticación)
      # IMPORTANTE: Solo assets estáticos (JS, CSS, iconos, manifest, SW)
      # Las APIs (/api/*) NO están aquí - están protegidas abajo
      # Incluye .well-known para scope extensions
      # ==========================================
      - "traefik.http.routers.musica-nucleoriofrio-public.rule=Host(`musica.nucleoriofrio.com`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/assets`) || PathPrefix(`/.well-known`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/manifest.webmanifest`) || Path(`/manifest.json`) || Path(`/robots.txt`) || Path(`/favicon.ico`) || Path(`/logo.png`) || Path(`/logo-192.png`) || Path(`/logo-512.png`) || Path(`/logo-maskable-512.png`) || Path(`/icon.svg`)) && !PathPrefix(`/api/`)"
      - "traefik.http.routers.musica-nucleoriofrio-public.entrypoints=websecure"
      - "traefik.http.routers.musica-nucleoriofrio-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.musica-nucleoriofrio-public.priority=100"
      # Solo headers de seguridad y cache para assets PWA
      - "traefik.http.routers.musica-nucleoriofrio-public.middlewares=musica-pwa-headers"
      - "traefik.http.routers.musica-nucleoriofrio-public.service=musica-nucleoriofrio-service"

      # ==========================================
      # Router protegido para el resto de la app (incluye /api/music)
      # ==========================================
      # IMPORTANTE: Todas las APIs (/api/*) pasan por aquí
      # - /api/music → Lista de canciones (requiere auth)
      # - /api/music/:name → Descarga de canción (requiere auth)
      # - Página principal (/) → Requiere auth
      #
      # Flujo PWA + Authentik:
      # 1. Usuario sin auth intenta acceder → Authentik redirige a login
      # 2. Usuario con auth accede → Puede listar y descargar música
      # 3. Música descargada se guarda en IndexedDB (stores/music.ts)
      # 4. Usuario offline → Service Worker sirve desde cache
      # 5. Usuario offline SIN cache → Falla graciosamente (no puede descargar sin auth)
      - "traefik.http.routers.musica-nucleoriofrio.rule=Host(`musica.nucleoriofrio.com`)"
      - "traefik.http.routers.musica-nucleoriofrio.entrypoints=websecure"
      - "traefik.http.routers.musica-nucleoriofrio.tls.certresolver=letsencrypt"
      - "traefik.http.routers.musica-nucleoriofrio.priority=50"
      # Middlewares (orden: auth -> headers -> body-size)
      - "traefik.http.routers.musica-nucleoriofrio.middlewares=authentik-forward-auth@file,musica-headers,musica-body-size"
      - "traefik.http.routers.musica-nucleoriofrio.service=musica-nucleoriofrio-service"

      # ==========================================
      # Middleware: Headers para assets PWA (sin cache agresivo)
      # ==========================================
      - "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      # Cache controlado por el Service Worker, no por Traefik
      - "traefik.http.middlewares.musica-pwa-headers.headers.customresponseheaders.Cache-Control=public, max-age=0, must-revalidate"
      # Permitir CORS para PWA
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolallowmethods=GET,OPTIONS"
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolalloworiginlist=https://musica.nucleoriofrio.com"
      - "traefik.http.middlewares.musica-pwa-headers.headers.accesscontrolmaxage=100"

      # ==========================================
      # Middleware: Headers personalizados para app protegida
      # ==========================================
      - "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.musica-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.musica-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      # Removed global cache header - let app control caching

      # ==========================================
      # Middleware: Tamaño máximo de body (100MB para subir archivos)
      # ==========================================
      - "traefik.http.middlewares.musica-body-size.buffering.maxrequestbodybytes=104857600"

      # ==========================================
      # Service
      # ==========================================
      - "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.server.port=3000"
      - "traefik.http.services.musica-nucleoriofrio-service.loadbalancer.passhostheader=true"

networks:
  principal:
    external: true