version: '3.8'

services:
  meshcentral:
    image: ghcr.io/ylianst/meshcentral:latest
    container_name: ${APP_NAME:-meshcentral}
    restart: unless-stopped
    volumes:
      - /srv/meshcentral/data:/opt/meshcentral/meshcentral-data
      - /srv/meshcentral/files:/opt/meshcentral/meshcentral-files
      - /srv/meshcentral/backup:/opt/meshcentral/meshcentral-backup
      - /srv/meshcentral/config:/opt/meshcentral/meshcentral-config
    environment:
      - HOSTNAME=${APP_DOMAIN}
      - REVERSE_PROXY=traefik
      - REVERSE_PROXY_TLS_PORT=443
      - IFRAME=false
      - ALLOWLOGINTOKEN=true
      - LOCALSESSIONRECORDING=false
      - MINIFY=true
      - WEBRTC=true
      - CLICKONCE=false
      - ALLOWHIGHQUALITYDESKTOP=true
      - DESKTOPASPECTRATIOS=1.33,1.5,1.6,1.7,1.778,2.0
      - ALLOWFRAMING=false
      - COOKIEENCODING=hex
      - SESSIONRECORDINGCHUNKSIZE=1000000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
    networks:
      - principal
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=principal"

      # Service
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=443"
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.scheme=https"

      # ServerTransport para ignorar validación SSL del backend (certificados autofirmados)
      - "traefik.http.servertransports.meshcentral-transport.insecureskipverify=true"
      - "traefik.http.services.${APP_NAME}.loadbalancer.serverstransport=meshcentral-transport"

      # Router principal con Authentik Forward Auth para rutas de usuario
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/agent.ashx`) && !PathPrefix(`/meshrelay.ashx`) && !PathPrefix(`/devicefile.ashx`) && !PathPrefix(`/amtactivate`) && !PathPrefix(`/meshsettings`) && !PathPrefix(`/devicepower.ashx`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls=true"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.priority=100"
      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"

      # Router para agentes (sin autenticación) - mayor prioridad
      - "traefik.http.routers.${APP_NAME}-agents.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/agent.ashx`) || PathPrefix(`/meshrelay.ashx`) || PathPrefix(`/devicefile.ashx`) || PathPrefix(`/amtactivate`) || PathPrefix(`/meshsettings`) || PathPrefix(`/devicepower.ashx`))"
      - "traefik.http.routers.${APP_NAME}-agents.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-agents.tls=true"
      - "traefik.http.routers.${APP_NAME}-agents.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-agents.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}-agents.priority=200"
      - "traefik.http.routers.${APP_NAME}-agents.middlewares=${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"

networks:
  principal:
    external: true
  traefik-network:
    external: true