version: '3.8'

services:
  nuxt-app:
    image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
    container_name: ${APP_NAME}
    restart: unless-stopped
    environment:
      - NODE_ENV=production
      # Printer configuration (prefijo NUXT_ para runtime config)
      - NUXT_PRINTER_HOST=${PRINTER_HOST:-192.168.87.147}
      - NUXT_PRINTER_DEVICE_ID=${PRINTER_DEVICE_ID:-matricial2}
      - NUXT_PRINTER_TIMEOUT_MS=${PRINTER_TIMEOUT_MS:-60000}
      # Variables originales para compatibilidad
      - PRINTER_HOST=${PRINTER_HOST:-192.168.87.147}
      - PRINTER_DEVICE_ID=${PRINTER_DEVICE_ID:-matricial2}
      - PRINTER_TIMEOUT_MS=${PRINTER_TIMEOUT_MS:-60000}
      # Authentik configuration
      - NUXT_PUBLIC_AUTHENTIK_URL=${NUXT_PUBLIC_AUTHENTIK_URL:-https://authentik.nucleoriofrio.com}
      - NUXT_PUBLIC_AUTH_ENABLED=${NUXT_PUBLIC_AUTH_ENABLED:-false}
    networks:
      - principal
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=principal"

      # Service
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"

      # Router para assets estaticos de Nuxt y PWA (sin autenticacion) - mayor prioridad
      # Incluye recursos PWA y .well-known para scope extensions
      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/.well-known`) || PathPrefix(`/icons`) || Path(`/manifest.webmanifest`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/favicon.ico`) || Path(`/offline.html`))"
      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-public.tls=true"
      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}-public.priority=100"
      - "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers"

      # Router principal con Authentik Forward Auth (menor prioridad)
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}.tls=true"
      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
      - "traefik.http.routers.${APP_NAME}.priority=50"
      - "traefik.http.routers.${APP_NAME}.middlewares=authentik-forward-auth@file,${APP_NAME}-headers"

      # Custom headers middleware
      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

networks:
  principal:
    external: true
  traefik-network:
    external: true