services:
  photo-server:
    image: gitea.nucleoriofrio.com/nucleo000/photo-server:latest
    container_name: photo-server
    restart: unless-stopped
    volumes:
      # Mount photos directory from server
      - /srv/photo-server/photos:/app/photos:ro
    environment:
      - NODE_ENV=production
      - PORT=3001
    networks:
      - principal
    labels:
      # Habilitar Traefik
      - "traefik.enable=true"

      # ==========================================
      # Router público para recursos estáticos (sin autenticación)
      # Assets: CSS, JS, favicon, etc.
      # ==========================================
      - "traefik.http.routers.photos-nucleoriofrio-public.rule=Host(`photos.nucleoriofrio.com`) && (PathPrefix(`/styles.css`) || PathPrefix(`/main.js`) || Path(`/favicon.ico`)) && !PathPrefix(`/api/`)"
      - "traefik.http.routers.photos-nucleoriofrio-public.entrypoints=websecure"
      - "traefik.http.routers.photos-nucleoriofrio-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.photos-nucleoriofrio-public.priority=100"
      - "traefik.http.routers.photos-nucleoriofrio-public.middlewares=photos-static-headers"
      - "traefik.http.routers.photos-nucleoriofrio-public.service=photos-nucleoriofrio-service"

      # ==========================================
      # Router protegido para el resto de la app
      # ==========================================
      # IMPORTANTE: Todas las APIs y contenido principal requieren autenticación
      # - /api/photos → Lista de fotos (requiere auth)
      # - /api/photos/zip → Descarga ZIP (requiere auth)
      # - /photos/:name → Ver foto individual (requiere auth)
      # - Página principal (/) → Requiere auth
      - "traefik.http.routers.photos-nucleoriofrio.rule=Host(`photos.nucleoriofrio.com`)"
      - "traefik.http.routers.photos-nucleoriofrio.entrypoints=websecure"
      - "traefik.http.routers.photos-nucleoriofrio.tls.certresolver=letsencrypt"
      - "traefik.http.routers.photos-nucleoriofrio.priority=50"
      # Middlewares (orden: auth -> headers -> body-size)
      - "traefik.http.routers.photos-nucleoriofrio.middlewares=photos-authentik,photos-headers,photos-body-size"
      - "traefik.http.routers.photos-nucleoriofrio.service=photos-nucleoriofrio-service"

      # ==========================================
      # Middleware: Authentik ForwardAuth (mismo que rioCata)
      # ==========================================
      - "traefik.http.middlewares.photos-authentik.forwardauth.address=http://ak-outpost-exterior-lvl2:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.photos-authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.photos-authentik.forwardauth.authResponseHeaders=X-Authentik-Username,X-Authentik-Email,X-Authentik-Name,X-Authentik-Uid,X-Authentik-Groups,X-Authentik-Entitlements"

      # ==========================================
      # Middleware: Headers para assets estáticos
      # ==========================================
      - "traefik.http.middlewares.photos-static-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.photos-static-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.photos-static-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.photos-static-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      - "traefik.http.middlewares.photos-static-headers.headers.customresponseheaders.Cache-Control=public, max-age=86400"

      # ==========================================
      # Middleware: Headers personalizados para app protegida
      # ==========================================
      - "traefik.http.middlewares.photos-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.photos-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
      - "traefik.http.middlewares.photos-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.photos-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.photos-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"

      # ==========================================
      # Middleware: Tamaño máximo de body (500MB para fotos grandes y ZIP)
      # ==========================================
      - "traefik.http.middlewares.photos-body-size.buffering.maxrequestbodybytes=524288000"

      # ==========================================
      # Service
      # ==========================================
      - "traefik.http.services.photos-nucleoriofrio-service.loadbalancer.server.port=3001"
      - "traefik.http.services.photos-nucleoriofrio-service.loadbalancer.passhostheader=true"

networks:
  principal:
    external: true