version: '3.8'

services:
  app:
    image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
    container_name: ${APP_NAME}
    restart: unless-stopped
    environment:
      # Node Environment
      - NODE_ENV=production
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=3000
      # Public URL
      - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}
    networks:
      - principal
      - traefik-network
    labels:
      # Traefik labels
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-network"

      # Service (shared by both routers)
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"

      # Router 1: Public PWA resources (no auth) - Higher priority
      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`))"
      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-public.priority=100"
      - "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors"

      # Router 2: Protected application (with auth) - Normal priority
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.priority=10"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.middlewares=authentik-forward-auth@file,${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

      # CORS middleware for public resources
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN}"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true"

  mcp-docker:
    image: ${REG}/${REPO_OWNER}/mcp-docker-server:latest
    container_name: ${APP_NAME}-mcp-docker
    restart: unless-stopped
    environment:
      - PORT=3000
    volumes:
      # Montar el socket de Docker para acceso al daemon
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - principal
      - traefik-network
    labels:
      # Traefik labels - Exposición sin autenticación
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-network"

      # Service
      - "traefik.http.services.${APP_NAME}-mcp.loadbalancer.server.port=3000"

      # Router sin autenticación para /mcp - Mayor prioridad que la app principal
      - "traefik.http.routers.${APP_NAME}-mcp.rule=Host(`${APP_DOMAIN}`) && PathPrefix(`/mcp`)"
      - "traefik.http.routers.${APP_NAME}-mcp.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-mcp.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-mcp.priority=200"
      - "traefik.http.routers.${APP_NAME}-mcp.service=${APP_NAME}-mcp"

      # Middlewares para MCP
      - "traefik.http.middlewares.${APP_NAME}-mcp-stripprefix.stripprefix.prefixes=/mcp"
      - "traefik.http.middlewares.${APP_NAME}-mcp-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.${APP_NAME}-mcp.middlewares=${APP_NAME}-mcp-stripprefix,${APP_NAME}-mcp-headers"

  mcp-gitea:
    image: ${REG}/${REPO_OWNER}/mcp-gitea-server:latest
    container_name: ${APP_NAME}-mcp-gitea
    restart: unless-stopped
    environment:
      - PORT=3000
      - GIT_URL=${GIT_URL}
      - GIT_TOKEN=${GIT_TOKEN}
    networks:
      - principal
      - traefik-network
    labels:
      # Traefik labels - Exposición sin autenticación
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-network"

      # Service
      - "traefik.http.services.${APP_NAME}-mcp-gitea.loadbalancer.server.port=3000"

      # Router sin autenticación para /mcp en gitea.nucleoriofrio.com
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.rule=Host(`${GIT_DOMAIN}`) && PathPrefix(`/mcp`)"
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.priority=200"
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.service=${APP_NAME}-mcp-gitea"

      # Middlewares para MCP Gitea
      - "traefik.http.middlewares.${APP_NAME}-mcp-gitea-stripprefix.stripprefix.prefixes=/mcp"
      - "traefik.http.middlewares.${APP_NAME}-mcp-gitea-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.${APP_NAME}-mcp-gitea.middlewares=${APP_NAME}-mcp-gitea-stripprefix,${APP_NAME}-mcp-gitea-headers"

networks:
  principal:
    external: true
  traefik-network:
    external: true