version: '3.8'

services:
  nuxt-app:
    image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
    container_name: ${APP_NAME}
    restart: unless-stopped
    environment:
      - NODE_ENV=production
      # Nuxt runtime config variables (prefijo NUXT_)
      - NUXT_SUPABASE_URL=${SUPABASE_URL}
      - NUXT_SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
      # Variables originales para compatibilidad
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
      - NEXT_PUBLIC_SUPABASE_URL=${SUPABASE_URL}
      - NEXT_PUBLIC_SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      # Authentik configuration
      - NUXT_PUBLIC_AUTHENTIK_URL=${NUXT_PUBLIC_AUTHENTIK_URL:-https://authentik.nucleoriofrio.com}
      # Metabase configuration
      - METABASE_URL=${METABASE_URL:-https://metabase.nucleoriofrio.com}
      - METABASE_API_KEY=${METABASE_API_KEY}
      - METABASE_EMAIL=${METABASE_EMAIL}
      - METABASE_PASSWORD=${METABASE_PASSWORD}
    networks:
      - principal
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=principal"

      # Service
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"

      # Router para assets estáticos de Nuxt (sin autenticación) - mayor prioridad
      # SOLO /_nuxt/* para que la aplicación funcione
      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && PathPrefix(`/_nuxt`)"
      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-public.tls=true"
      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}-public.priority=100"
      - "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers"

      # Router principal con Authentik Forward Auth (menor prioridad)
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls=true"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.priority=50"
      - "traefik.http.routers.${APP_NAME}.middlewares=authentik-forward-auth@file,${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

networks:
  principal:
    external: true
  traefik-network:
    external: true