services:
  db:
    image: postgres:16-alpine
    container_name: guacamole-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_DB=guacamole_db
      - POSTGRES_USER=guacamole_user
      - POSTGRES_PASSWORD=YourSecureDBPassword123
      - TZ=Europe/Ljubljana
    volumes:
      - db_data:/var/lib/postgresql/data
      - ./db-init:/docker-entrypoint-initdb.d:ro
    networks: [default]

  guacd:
    image: guacamole/guacd:latest
    platform: linux/amd64
    container_name: guacamole-guacd
    restart: unless-stopped
    networks: [default]
    healthcheck:
      test: ["CMD", "sh", "-lc", "echo ping | nc -w 1 127.0.0.1 4822"]
      interval: 30s
      timeout: 5s
      retries: 5

  guacamole:
    image: guacamole/guacamole:latest
    platform: linux/amd64
    container_name: guacamole-app
    restart: unless-stopped
    environment:
      - TZ=Europe/Ljubljana
      - GUACD_HOSTNAME=guacd
      - GUACD_PORT=4822
      - POSTGRES_HOSTNAME=db
      - POSTGRES_PORT=5432
      - POSTGRES_DATABASE=guacamole_db
      - POSTGRES_USER=guacamole_user
      - POSTGRES_PASSWORD=YourSecureDBPassword123
      # NOTE: no WEBAPP_CONTEXT → default is /guacamole
    depends_on:
      - guacd
      - db
    networks:
      - default
      - traefik_default
    labels:
      - "traefik.enable=true"
      # critical when a service is on multiple networks:
      - "traefik.docker.network=traefik_default"

      # Main router → only /guacamole…
      - "traefik.http.routers.guacamole.rule=Host(`guac.rozic-dev.com`) && PathPrefix(`/guacamole`)"
      - "traefik.http.routers.guacamole.entrypoints=websecure"
      - "traefik.http.routers.guacamole.tls=true"
      - "traefik.http.routers.guacamole.tls.certresolver=letsencrypt"
      - "traefik.http.services.guacamole.loadbalancer.server.port=8080"

      # Root redirect: /  →  /guacamole/
      - "traefik.http.routers.guacamole-root.rule=Host(`guac.rozic-dev.com`) && Path(`/`)"
      - "traefik.http.routers.guacamole-root.entrypoints=websecure"
      - "traefik.http.routers.guacamole-root.tls=true"
      - "traefik.http.routers.guacamole-root.tls.certresolver=letsencrypt"
      - "traefik.http.routers.guacamole-root.middlewares=guac-redirect"
      - "traefik.http.middlewares.guac-redirect.redirectregex.regex=^https?://([^/]+)(/)?$"
      - "traefik.http.middlewares.guac-redirect.redirectregex.replacement=https://$${1}/guacamole/"
      - "traefik.http.middlewares.guac-redirect.redirectregex.permanent=true"

      # HTTP → HTTPS
      - "traefik.http.routers.guacamole-http.rule=Host(`guac.rozic-dev.com`)"
      - "traefik.http.routers.guacamole-http.entrypoints=web"
      - "traefik.http.routers.guacamole-http.middlewares=https-redirect"
      - "traefik.http.middlewares=https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares=https-redirect.redirectscheme.permanent=true"

volumes:
  db_data:

networks:
  traefik_default:
    external: true
  default:
    driver: bridge