services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:latest
    container_name: mealie
    restart: always
    networks:
      - traefik
      - internal
    volumes:
      - ./mealie-data:/app/data
    environment:
      # Backend settings
      ALLOW_SIGNUP: "false"
      PUID: 1000
      PGID: 1000
      TZ: Europe/Ljubljana # <-- Already set here
      BASE_URL: https://mealie.rozic-dev.com

      # Database
      DB_ENGINE: postgres
      POSTGRES_USER: mealie
      POSTGRES_PASSWORD: mealie
      POSTGRES_SERVER: postgres
      POSTGRES_PORT: 5432
      POSTGRES_DB: mealie

    depends_on:
      postgres:
        condition: service_healthy

    # -----------------------------
    # Traefik Reverse Proxy Labels
    # -----------------------------
    labels:
      # Enable Traefik
      - "traefik.enable=true"

      # HTTP → HTTPS redirect (recommended)
      - "traefik.http.routers.mealie-http.entrypoints=web"
      - "traefik.http.routers.mealie-http.rule=Host(`mealie.rozic-dev.com`)"
      - "traefik.http.routers.mealie-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"

      # HTTPS router
      - "traefik.http.routers.mealie.entrypoints=websecure"
      - "traefik.http.routers.mealie.rule=Host(`mealie.rozic-dev.com`)"
      - "traefik.http.routers.mealie.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mealie.tls=true"

      # Service port
      - "traefik.http.services.mealie.loadbalancer.server.port=9000"

      # Security headers middleware (improved)
      - "traefik.http.middlewares.mealie-security.headers.customResponseHeaders.X-Robots-Tag=none"
      - "traefik.http.middlewares.mealie-security.headers.stsSeconds=63072000"
      - "traefik.http.middlewares.mealie-security.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.mealie-security.headers.stsPreload=true"
      - "traefik.http.middlewares.mealie-security.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.mealie-security.headers.browserXssFilter=true"
      - "traefik.http.middlewares.mealie-security.headers.referrerPolicy=same-origin"
      - "traefik.http.routers.mealie.middlewares=mealie-security"
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 1024M

  postgres:
    image: postgres:15
    container_name: mealie-postgres
    restart: always
    networks:
      - internal
    environment:
      POSTGRES_DB: mealie
      POSTGRES_USER: mealie
      POSTGRES_PASSWORD: mealie
      # Added for Time Zone consistency (Suggestion 2)
      TZ: Europe/Ljubljana
      PGTZ: Europe/Ljubljana 
    volumes:
      - ./mealie-pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "mealie"]
      interval: 30s
      timeout: 10s
      retries: 5

# ------------------
# NETWORKS & VOLUMES
# ------------------
networks:
  traefik:
    external: true
    name: traefik_default 

  internal:
    driver: bridge

volumes:
  mealie-data:
    driver: local
  mealie-pgdata:
    driver: local