version: '3.8'

services:
  db:
    image: mariadb:10.11
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD=biker111
    volumes:
      - ./mysql:/var/lib/mysql
    networks:
      - seafile-net
    healthcheck:
      test: ["CMD", "mariadb-admin", "--protocol=tcp", "ping"]
      interval: 20s
      timeout: 10s
      retries: 5
    restart: unless-stopped

  memcached:
    image: memcached:1.6.18
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net
    restart: unless-stopped

  seafile:
    image: seafileltd/seafile-mc:latest
    container_name: seafile
    # NO PORTS EXPOSED → MAX SECURITY
    volumes:
      - ./data:/shared
#       - /mnt/sea-files/seafile-data1:/shared
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=biker111
      - SEAFILE_ADMIN_EMAIL=dejan@rozic-dev.com
      - SEAFILE_ADMIN_PASSWORD=biker111
      - SEAFILE_SERVER_HOSTNAME=seafile.rozic-dev.com
      - TIME_ZONE=Europe/Belgrade
      - SEAFILE_SERVER_LETSENCRYPT=false     # Traefik handles certs, not Seafile
      - FORCE_HTTPS_IN_CONF=true            # Force https:// in Seafile config
      - SEAFILE_SERVICE_URL=https://seafile.rozic-dev.com
      - SEAFILE_FILE_SERVER_ROOT=https://seafile.rozic-dev.com/seafhttp
    depends_on:
      - db
      - memcached
    networks:
      - seafile-net
      - traefik_default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"

      # UI router → service "seafile"
      - "traefik.http.routers.seafile.rule=Host(`seafile.rozic-dev.com`)"
      - "traefik.http.routers.seafile.entrypoints=websecure"
      - "traefik.http.routers.seafile.tls.certresolver=letsencrypt"
      - "traefik.http.routers.seafile.service=seafile"
      - "traefik.http.services.seafile.loadbalancer.server.port=80"

      # File server router → service "seafile-files"
      - "traefik.http.routers.seafile-files.rule=Host(`seafile.rozic-dev.com`) && PathPrefix(`/seafhttp`)"
      - "traefik.http.routers.seafile-files.entrypoints=websecure"
      - "traefik.http.routers.seafile-files.tls.certresolver=letsencrypt"
      - "traefik.http.routers.seafile-files.service=seafile-files"
      - "traefik.http.services.seafile-files.loadbalancer.server.port=8082"
      # ADD: Attach strip-prefix middleware to the router
      - "traefik.http.routers.seafile-files.middlewares=strip-seafhttp"
  # ADD: Define the strip-prefix middleware (strips /seafhttp from the path)
      - "traefik.http.middlewares.strip-seafhttp.stripprefix.prefixes=/seafhttp"
    restart: unless-stopped

networks:
  seafile-net:
    driver: bridge
  traefik_default:
    external: true