version: "3.8"

services:
  babybuddy:
    image: lscr.io/linuxserver/babybuddy:latest
    container_name: babybuddy
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Ljubljana
      # generate once: openssl rand -base64 48
      - SECRET_KEY=CHANGE_ME_LONG_RANDOM
      # domain settings for Django
      - ALLOWED_HOSTS=baby.rozic-dev.com
      - CSRF_TRUSTED_ORIGINS=https://baby.rozic-dev.com
      # >>> make Django treat proxied requests as HTTPS
      - USE_X_FORWARDED_HOST=true
      - SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https
      - SECURE_SSL_REDIRECT=true
      - SESSION_COOKIE_SECURE=true
      - CSRF_COOKIE_SECURE=true

    volumes:
      - ./config:/config
    restart: unless-stopped

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"

      # --- HTTPS router ---
      - "traefik.http.routers.babybuddy-https.rule=Host(`baby.rozic-dev.com`)"
      - "traefik.http.routers.babybuddy-https.entrypoints=websecure"
      - "traefik.http.routers.babybuddy-https.tls=true"
      - "traefik.http.routers.babybuddy-https.tls.certresolver=letsencrypt"
      - "traefik.http.routers.babybuddy-https.service=babybuddy"
      - "traefik.http.services.babybuddy.loadbalancer.server.port=8000"

      # --- HTTP -> HTTPS redirect ---
      - "traefik.http.routers.babybuddy-http.rule=Host(`baby.rozic-dev.com`)"
      - "traefik.http.routers.babybuddy-http.entrypoints=web"
      - "traefik.http.routers.babybuddy-http.middlewares=babybuddy-redirect"
      - "traefik.http.middlewares.babybuddy-redirect.redirectscheme.scheme=https"

      # --- Optional compression/headers ---
      - "traefik.http.middlewares.babybuddy-compress.compress=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"
      - "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"


    # Security headers + HSTS
      - "traefik.http.middlewares.babybuddy-headers.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.babybuddy-headers.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.browserXssFilter=true"
      - "traefik.http.middlewares.babybuddy-headers.headers.referrerPolicy=no-referrer-when-downgrade"
      - "traefik.http.routers.babybuddy-https.middlewares=babybuddy-compress,babybuddy-headers"
    networks:
      - traefik

networks:
  traefik:
    external: true
    name: traefik_default