services:
  klz-app:
    image: registry.infra.mintel.me/mintel/klz-2026:${IMAGE_TAG:-latest}
    restart: unless-stopped
    networks:
      default:
      infra:
        aliases:
          - klz.localhost
    env_file:
      - ${ENV_FILE:-.env}
    environment:
      POSTGRES_URI: postgres://${PAYLOAD_DB_USER:-payload}:${PAYLOAD_DB_PASSWORD:-payload}@klz-db:5432/${PAYLOAD_DB_NAME:-payload}
      PAYLOAD_SECRET: ${PAYLOAD_SECRET:-fallback-secret-for-production-needs-change}
    volumes:
      - klz_media_data:/app/public/media
    labels:
      - "traefik.enable=true"
      # HTTP ⇒ HTTPS redirect
      - "traefik.http.routers.${PROJECT_NAME:-klz}-web.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-web.entrypoints=web"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-web.middlewares=redirect-https"
      # HTTPS router (Standard)
      - "traefik.http.routers.${PROJECT_NAME:-klz}.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}.tls=${TRAEFIK_TLS:-false}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}.service=${PROJECT_NAME:-klz}-app-svc"
      - "traefik.http.routers.${PROJECT_NAME:-klz}.middlewares=${AUTH_MIDDLEWARE:-klz-ratelimit,klz-forward,klz-compress}"

      # Public Router – paths that bypass Gatekeeper auth (health, SEO, static assets, OG images)
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathRegexp(`^/(health|uploads|media|robots\\.txt|manifest\\.webmanifest|sitemap(-[0-9]+)?\\.xml|(.*/)?api/og(/.*)?|(.*/)?opengraph-image.*)`)"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls=${TRAEFIK_TLS:-false}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.service=${PROJECT_NAME:-klz}-app-svc"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-public.priority=2000"

      - "traefik.http.services.${PROJECT_NAME:-klz}-app-svc.loadbalancer.server.port=3000"
      - "traefik.docker.network=infra"

      # Middlewares
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-compress.compress=true"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"

  klz-gatekeeper:
    profiles: [ "gatekeeper" ]
    image: registry.infra.mintel.me/mintel/gatekeeper:testing
    restart: unless-stopped
    networks:
      infra:
        aliases:
          - ${PROJECT_NAME:-klz}-gatekeeper
    env_file:
      - ${ENV_FILE:-.env}
    environment:
      PORT: 3000
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.${PROJECT_NAME:-klz}-gatekeeper-svc.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.address=http://${PROJECT_NAME:-klz}-gatekeeper:3000/api/verify"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.authResponseHeaders=X-Auth-User"
      - "traefik.docker.network=infra"

      # Gatekeeper Public Router (Login/Auth UI)
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.rule=Host(`${GATEKEEPER_HOST:-gatekeeper.klz-cables.com}`)"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls=${TRAEFIK_TLS:-false}"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.service=${PROJECT_NAME:-klz}-gatekeeper-svc"
      - "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.priority=2001"

  klz-db:
    image: postgres:15-alpine
    restart: unless-stopped
    env_file:
      - ${ENV_FILE:-.env}
    environment:
      POSTGRES_DB: ${PAYLOAD_DB_NAME:-payload}
      POSTGRES_USER: ${PAYLOAD_DB_USER:-payload}
      POSTGRES_PASSWORD: ${PAYLOAD_DB_PASSWORD:-payload}
    volumes:
      - klz_db_data:/var/lib/postgresql/data
    networks:
      - default

networks:
  default:
    name: ${PROJECT_NAME:-klz-cables}-internal
  infra:
    external: true

volumes:
  klz_db_data:
    external: false
  klz_media_data:
    external: false