version: '3.8'

services:
  postgres:
    image: postgres:16-alpine
    container_name: analiticanucleo-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-postgres}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB:-analitica}
      - PGRST_DB_AUTHENTICATOR_PASSWORD=${PGRST_DB_AUTHENTICATOR_PASSWORD}
    ports:
      - "3000:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./init-db:/docker-entrypoint-initdb.d
    networks:
      - principal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-postgres}"]
      interval: 10s
      timeout: 5s
      retries: 5

  postgrest:
    image: postgrest/postgrest:latest
    container_name: analiticanucleo-postgrest
    restart: unless-stopped
    environment:
      - PGRST_DB_URI=postgres://authenticator:${PGRST_DB_AUTHENTICATOR_PASSWORD}@postgres:5432/${POSTGRES_DB:-analitica}
      - PGRST_DB_SCHEMA=${PGRST_DB_SCHEMA:-public}
      - PGRST_DB_ANON_ROLE=${PGRST_DB_ANON_ROLE:-web_anon}
      - PGRST_JWT_SECRET=${PGRST_JWT_SECRET}
      - PGRST_OPENAPI_SERVER_PROXY_URI=${PGRST_OPENAPI_SERVER_PROXY_URI:-https://api.analitica.nucleoriofrio.com}
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - principal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.analiticanucleo-api.rule=Host(`api.analitica.nucleoriofrio.com`)"
      - "traefik.http.routers.analiticanucleo-api.entrypoints=websecure"
      - "traefik.http.routers.analiticanucleo-api.tls=true"
      - "traefik.http.routers.analiticanucleo-api.tls.certresolver=letsencrypt"
      - "traefik.http.services.analiticanucleo-api.loadbalancer.server.port=3000"
      - "traefik.docker.network=principal"

  nuxt-app:
    image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
    container_name: ${APP_NAME}
    restart: unless-stopped
    environment:
      - NODE_ENV=production
      # Nuxt runtime config variables (prefijo NUXT_)
      - NUXT_SUPABASE_URL=${SUPABASE_URL}
      - NUXT_SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
      # Variables originales para compatibilidad
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
      - NEXT_PUBLIC_SUPABASE_URL=${SUPABASE_URL}
      - NEXT_PUBLIC_SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      # Authentik configuration
      - NUXT_PUBLIC_AUTHENTIK_URL=${NUXT_PUBLIC_AUTHENTIK_URL:-https://authentik.nucleoriofrio.com}
      # PostgREST API URL
      - NUXT_PUBLIC_POSTGREST_URL=${NUXT_PUBLIC_POSTGREST_URL:-https://api.analitica.nucleoriofrio.com}
    depends_on:
      - postgrest
    networks:
      - principal
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=principal"

      # Service
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"

      # Router principal con Authentik Forward Auth
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls=true"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.middlewares=authentik-forward-auth@file,${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

networks:
  principal:
    external: true
  traefik-network:
    external: true

volumes:
  postgres_data: