services:
  # Varnish sits between Traefik and the application.
  #
  # Flow:
  #   Client -> Traefik -> Varnish -> app
  #
  # Traefik keeps TLS + compression; Varnish adds HTTP caching for static assets.
  varnish:
    image: varnish:7
    restart: always
    networks:
      - infra
    depends_on:
      - app
    command: >-
      varnishd
      -F
      -f /etc/varnish/default.vcl
      -s malloc,${VARNISH_CACHE_SIZE:-256m}
    volumes:
      - ./varnish/default.vcl:/etc/varnish/default.vcl:ro
    healthcheck:
      test: ["CMD-SHELL", "wget --quiet --tries=1 --spider http://localhost:80/health || wget --quiet --tries=1 --spider http://localhost:80/ || true"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s
    labels:
      - "traefik.enable=true"
      # HTTP → HTTPS redirect (Challenge-Schutz für ALLE)
      - "traefik.http.routers.klz-cables-web.rule=(Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)) && !PathPrefix(`/.well-known/acme-challenge/`)"
      - "traefik.http.routers.klz-cables-web.entrypoints=web"
      - "traefik.http.routers.klz-cables-web.middlewares=redirect-https"
      # HTTPS router (für ALLE drei Domains)
      - "traefik.http.routers.klz-cables.rule=Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)"
      - "traefik.http.routers.klz-cables.entrypoints=websecure"
      - "traefik.http.routers.klz-cables.tls.certresolver=le"
      - "traefik.http.routers.klz-cables.tls=true"
      - "traefik.http.routers.klz-cables.service=klz-cables"
      - "traefik.http.services.klz-cables.loadbalancer.server.port=80"
      - "traefik.http.services.klz-cables.loadbalancer.server.scheme=http"
      # Forwarded Headers (für Apps, die HTTPS erwarten)
      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
      # Middlewares anhängen
      - "traefik.http.routers.klz-cables.middlewares=klz-forward,compress"

  app:
    image: registry.infra.mintel.me/mintel/klz-cables.com:latest
    restart: always
    networks:
      - infra
    healthcheck:
      test: ["CMD-SHELL", "wget --quiet --tries=1 --spider http://localhost:3000/health || wget --quiet --tries=1 --spider http://localhost:3000/ || true"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    environment:
      - NODE_ENV=${NODE_ENV:-production}
      - NEXT_PUBLIC_BASE_URL=${NEXT_PUBLIC_BASE_URL:?NEXT_PUBLIC_BASE_URL is required}
      - NEXT_PUBLIC_UMAMI_WEBSITE_ID=${NEXT_PUBLIC_UMAMI_WEBSITE_ID}
      - NEXT_PUBLIC_UMAMI_SCRIPT_URL=${NEXT_PUBLIC_UMAMI_SCRIPT_URL}
      - SENTRY_DSN=${SENTRY_DSN}
      - MAIL_HOST=${MAIL_HOST}
      - MAIL_PORT=${MAIL_PORT:-587}
      - MAIL_USERNAME=${MAIL_USERNAME}
      - MAIL_PASSWORD=${MAIL_PASSWORD}
      - MAIL_FROM=${MAIL_FROM}
      - MAIL_RECIPIENTS=${MAIL_RECIPIENTS}
      - REDIS_URL=${REDIS_URL}
      - REDIS_KEY_PREFIX=${REDIS_KEY_PREFIX}

networks:
  infra:
    external: true