services:
  cc-app:
    image: registry.infra.mintel.me/mintel/cablecreations-2026:${IMAGE_TAG:-latest}
    restart: unless-stopped
    networks:
      default:
      infra:
        aliases:
          - cc.localhost
    env_file:
      - ${ENV_FILE:-.env}
    environment:
      POSTGRES_URI: postgres://${PAYLOAD_DB_USER:-payload}:${PAYLOAD_DB_PASSWORD:-payload}@cc-db:5432/${PAYLOAD_DB_NAME:-payload}
      PAYLOAD_SECRET: ${PAYLOAD_SECRET:-fallback-secret-for-production-needs-change}
    volumes:
      - cc_media_data:/app/apps/website/public/media
    labels:
      - "traefik.enable=true"
      # HTTP ⇒ HTTPS redirect
      - "traefik.http.routers.${PROJECT_NAME:-cc}-web.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-cablecreations.de}`)}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-web.entrypoints=web"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-web.middlewares=redirect-https"
      # HTTPS router (Standard)
      - "traefik.http.routers.${PROJECT_NAME:-cc}.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-cablecreations.de}`)}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}.tls=${TRAEFIK_TLS:-false}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}.service=${PROJECT_NAME:-cc}-app-svc"
      - "traefik.http.routers.${PROJECT_NAME:-cc}.middlewares=${AUTH_MIDDLEWARE:-cc-ratelimit,cc-forward,cc-compress}"

      # Public Router – paths that bypass Gatekeeper auth
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-cablecreations.de}`)}) && PathRegexp(`^/([a-z]{2}/)?(health|uploads|media|robots\\.txt|manifest\\.webmanifest|sitemap(-[0-9]+)?\\.xml)`)"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.tls=${TRAEFIK_TLS:-false}"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.service=${PROJECT_NAME:-cc}-app-svc"
      - "traefik.http.routers.${PROJECT_NAME:-cc}-public.priority=2000"

      - "traefik.http.services.${PROJECT_NAME:-cc}-app-svc.loadbalancer.server.port=3000"
      - "traefik.docker.network=infra"

      # Middlewares
      - "traefik.http.middlewares.${PROJECT_NAME:-cc}-compress.compress=true"
      - "traefik.http.middlewares.${PROJECT_NAME:-cc}-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.${PROJECT_NAME:-cc}-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.${PROJECT_NAME:-cc}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.${PROJECT_NAME:-cc}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"

  cc-db:
    image: postgres:15-alpine
    restart: unless-stopped
    env_file:
      - ${ENV_FILE:-.env}
    environment:
      POSTGRES_DB: ${PAYLOAD_DB_NAME:-payload}
      POSTGRES_USER: ${PAYLOAD_DB_USER:-payload}
      POSTGRES_PASSWORD: ${PAYLOAD_DB_PASSWORD:-payload}
    volumes:
      - cc_db_data:/var/lib/postgresql/data
    networks:
      - default

networks:
  default:
    name: ${PROJECT_NAME:-cablecreations}-internal
  infra:
    external: true

volumes:
  cc_db_data:
    external: false
  cc_media_data:
    external: false