version: "3.8"

services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      # --- REPLACE THESE SECRETS ---
      MYSQL_ROOT_PASSWORD: your_very_strong_root_password
      MYSQL_DATABASE: filerun
      MYSQL_USER: filerun
      MYSQL_PASSWORD: your_very_strong_filerun_password
      # ----------------------------
    volumes:
      - ./db_data:/var/lib/mysql
    networks:
      - internal

  filerun:
    # Assuming this is the correct image for your architecture.
    image: filerun/filerun:8.1.arm64v8
    restart: unless-stopped
    environment:
      FR_DB_HOST: db
      FR_DB_PORT: 3306
      FR_DB_NAME: filerun
      FR_DB_USER: filerun
      # --- REPLACE THIS SECRET ---
      FR_DB_PASS: your_very_strong_filerun_password
      # --------------------------
      APACHE_RUN_USER: www-data
      APACHE_RUN_GROUP: www-data
    volumes:
      - ./filerun_html:/var/www/html
      - ./user_data:/user-files
    networks:
      - internal
      - traefik_default                       # Connect to your existing Traefik network
    depends_on:
      - db
    labels:
      - "traefik.enable=true"

      # --- CRITICAL: FILE-RUN HTTPS MIDDLEWARE ---
      # This middleware is vital for FileRun to correctly detect HTTPS when behind Traefik.
      - "traefik.http.middlewares.filerun-headers.headers.customresponseheaders.X-Forwarded-Proto=https"

      # --- HTTP (Port 80) Router: Redirect to HTTPS ---
      - "traefik.http.routers.filerun-http.entrypoints=web"
      - "traefik.http.routers.filerun-http.rule=Host(`filerun.rozic-dev.com`)"
      - "traefik.http.routers.filerun-http.middlewares=redirect-to-https@docker" # Assumes a global Traefik redirect middleware

      # --- HTTPS (Port 443) Router ---
      - "traefik.http.routers.filerun-https.entrypoints=websecure"
      - "traefik.http.routers.filerun-https.rule=Host(`filerun.rozic-dev.com`)"
      - "traefik.http.routers.filerun-https.tls=true"
      - "traefik.http.routers.filerun-https.tls.certresolver=letsencrypt"
      - "traefik.http.routers.filerun-https.middlewares=filerun-headers@docker" # Apply the X-Forwarded-Proto header
      - "traefik.http.routers.filerun-https.priority=100" # Optional: higher priority

      # --- Service Definition ---
      - "traefik.http.services.filerun.loadbalancer.server.port=80"
    # IMPORTANT: Since Traefik is handling traffic, DO NOT include a 'ports' section here.

networks:
  internal:
    driver: bridge
  traefik_default:
    external: true   # This connects to your existing Traefik network