services:
  rtrips:
    build:
      context: ..
      dockerfile: rtrips-online/Dockerfile
    container_name: rtrips-online
    restart: unless-stopped
    environment:
      - DATABASE_URL=postgresql://rtrips:${DB_PASSWORD}@rtrips-postgres:5432/rtrips
      - GEMINI_API_KEY=${GEMINI_API_KEY}
      - NEXT_PUBLIC_RSPACE_URL=${NEXT_PUBLIC_RSPACE_URL:-https://rspace.online}
      - RSPACE_INTERNAL_URL=${RSPACE_INTERNAL_URL:-http://rspace-online:3000}
      - NEXT_PUBLIC_ENCRYPTID_SERVER_URL=${NEXT_PUBLIC_ENCRYPTID_SERVER_URL:-https://auth.ridentity.online}
      - RNOTES_INTERNAL_URL=${RNOTES_INTERNAL_URL:-http://rnotes-online:3000}
      - RVOTE_INTERNAL_URL=${RVOTE_INTERNAL_URL:-http://rvote-online-rvote-1:3000}
      - RCART_INTERNAL_URL=${RCART_INTERNAL_URL:-http://rcart-online:3000}
      - ORS_BASE_URL=${ORS_BASE_URL:-https://routing.jeffemmett.com}
      - ORS_PUBLIC_URL=${ORS_PUBLIC_URL:-https://api.openrouteservice.org}
      - ORS_PUBLIC_KEY=${ORS_PUBLIC_KEY:-}
      - NEXT_PUBLIC_BASE_PATH=/rtrips
    labels:
      - "traefik.enable=true"
      # Primary: serve app at rspace.online/rtrips (basePath handles prefix)
      - "traefik.http.routers.rtrips.rule=Host(`rspace.online`) && PathPrefix(`/rtrips`)"
      - "traefik.http.routers.rtrips.priority=115"
      - "traefik.http.services.rtrips.loadbalancer.server.port=3000"
      # Redirect: rtrips.online → rspace.online/rtrips
      - "traefik.http.routers.rtrips-redirect.rule=Host(`rtrips.online`) || Host(`www.rtrips.online`)"
      - "traefik.http.routers.rtrips-redirect.priority=130"
      - "traefik.http.routers.rtrips-redirect.middlewares=rtrips-to-rspace"
      - "traefik.http.routers.rtrips-redirect.service=rtrips"
      - "traefik.http.middlewares.rtrips-to-rspace.redirectregex.regex=^https?://(?:www\\.)?rtrips\\.online(.*)"
      - "traefik.http.middlewares.rtrips-to-rspace.redirectregex.replacement=https://rspace.online/rtrips$${1}"
      - "traefik.http.middlewares.rtrips-to-rspace.redirectregex.permanent=true"
    networks:
      - traefik-public
      - rtrips-internal
    depends_on:
      rtrips-postgres:
        condition: service_healthy
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
      - /home/nextjs/.npm

  rtrips-postgres:
    image: postgres:16-alpine
    container_name: rtrips-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_USER=rtrips
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=rtrips
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - rtrips-internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U rtrips -d rtrips"]
      interval: 5s
      timeout: 5s
      retries: 5
    cap_drop:
      - ALL
    cap_add:
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    security_opt:
      - no-new-privileges:true

networks:
  traefik-public:
    external: true
  rtrips-internal:
    internal: true

volumes:
  postgres_data: