version: '3.8' services: postgres: image: postgres:16-alpine container_name: ${APP_NAME}_postgres restart: unless-stopped environment: - POSTGRES_DB=${POSTGRES_DB:-riocata} - POSTGRES_USER=${POSTGRES_USER:-riocata_user} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - PGDATA=/var/lib/postgresql/data/pgdata volumes: - postgres_data:/var/lib/postgresql/data - ./postgres/init:/docker-entrypoint-initdb.d:ro networks: - principal healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-riocata_user} -d ${POSTGRES_DB:-riocata}"] interval: 10s timeout: 5s retries: 5 app: image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest container_name: ${APP_NAME} restart: unless-stopped depends_on: postgres: condition: service_healthy environment: # Node Environment - NODE_ENV=production - NUXT_HOST=0.0.0.0 - NUXT_PORT=3000 # Public URL - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL} # Database Connection - DATABASE_URL=postgresql://${POSTGRES_USER:-riocata_user}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-riocata} - POSTGRES_HOST=postgres - POSTGRES_PORT=5432 - POSTGRES_DB=${POSTGRES_DB:-riocata} - POSTGRES_USER=${POSTGRES_USER:-riocata_user} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} networks: - principal - traefik-network labels: - traefik.enable=true - traefik.docker.network=principal - traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000 # Públicos PWA (sin auth) - traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`)) - traefik.http.routers.${APP_NAME}-public.entrypoints=websecure - traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt - traefik.http.routers.${APP_NAME}-public.priority=100 - traefik.http.routers.${APP_NAME}-public.service=${APP_NAME} - traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors # App protegida - traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) - traefik.http.routers.${APP_NAME}.entrypoints=websecure - traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt - traefik.http.routers.${APP_NAME}.priority=10 - traefik.http.routers.${APP_NAME}.service=${APP_NAME} - traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-authentik,${APP_NAME}-headers # ForwardAuth interno → sidecar - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.address=http://ak-outpost-exterior-lvl2:9000/outpost.goauthentik.io/auth/traefik - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.trustForwardHeader=true - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.authResponseHeaders=X-Authentik-Username,X-Authentik-Email,X-Authentik-Name,X-Authentik-Uid,X-Authentik-Groups,X-Authentik-Entitlements # X-Forwarded-* - traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https - traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Scheme=https # CORS para assets públicos - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN} - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100 - traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true volumes: postgres_data: name: ${APP_NAME}_postgres_data networks: principal: external: true traefik-network: external: true