perfil/docker-compose.yml

version: '3.8'

services:
  app:
    image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
    container_name: ${APP_NAME}
    restart: unless-stopped
    environment:
      # Node Environment
      - NODE_ENV=production
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=3000
      # Public URL
      - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}
      # Authentik API Configuration
      - NUXT_AUTHENTIK_API_TOKEN=${NUXT_AUTHENTIK_API_TOKEN}
      - NUXT_AUTHENTIK_API_URL=${NUXT_AUTHENTIK_API_URL}
      - NUXT_PUBLIC_AUTHENTIK_URL=${NUXT_PUBLIC_AUTHENTIK_URL}
    networks:
      - principal
      - traefik-network
    labels:
      # Traefik labels
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-network"

      # Service (shared by both routers)
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"

      # Router 1: Public PWA resources (no auth) - Higher priority
      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`))"
      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-public.priority=100"
      - "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors"

      # Router 2: Protected application (with auth) - Normal priority
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.priority=10"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.middlewares=authentik-forward-auth@file,${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

      # CORS middleware for public resources
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN}"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true"

networks:
  principal:
    external: true
  traefik-network:
    external: true