services:
  app-1440-news:
    build: .
    container_name: app-1440-news
    restart: unless-stopped
    stop_grace_period: 30s
    env_file:
      - pds.env
      - oauth.env
    environment:
      DB_HOST: atproto-postgres
      DB_PORT: 5432
      DB_USER: news_1440
      DB_PASSWORD_FILE: /run/secrets/db_password
      DB_NAME: news_1440
    secrets:
      - db_password
    volumes:
      - ./vertices.txt.gz:/app/vertices.txt.gz:ro
    networks:
      - proxy
      - atproto
    labels:
      - "traefik.enable=true"
      # Production: HTTPS with Let's Encrypt for app.1440.news
      - "traefik.http.routers.app-1440-news.rule=Host(`app.1440.news`)"
      - "traefik.http.routers.app-1440-news.entrypoints=https"
      - "traefik.http.routers.app-1440-news.tls.certresolver=letsencrypt-dns"
      # Production: HTTPS for 1440.news root (accounts directory) - lower priority than PDS API paths
      - "traefik.http.routers.root-1440-news.rule=Host(`1440.news`)"
      - "traefik.http.routers.root-1440-news.entrypoints=https"
      - "traefik.http.routers.root-1440-news.tls.certresolver=letsencrypt-dns"
      - "traefik.http.routers.root-1440-news.priority=10"
      # Production: HTTPS for url.1440.news (URL shortener)
      - "traefik.http.routers.url-1440-news.rule=Host(`url.1440.news`)"
      - "traefik.http.routers.url-1440-news.entrypoints=https"
      - "traefik.http.routers.url-1440-news.tls.certresolver=letsencrypt-dns"
      # Production: HTTP to HTTPS redirect for app and url subdomains
      - "traefik.http.routers.app-1440-news-redirect.rule=Host(`app.1440.news`) || Host(`url.1440.news`)"
      - "traefik.http.routers.app-1440-news-redirect.entrypoints=http"
      - "traefik.http.routers.app-1440-news-redirect.middlewares=https-redirect"
      # Production: HTTP to HTTPS redirect for 1440.news root
      - "traefik.http.routers.root-1440-news-redirect.rule=Host(`1440.news`)"
      - "traefik.http.routers.root-1440-news-redirect.entrypoints=http"
      - "traefik.http.routers.root-1440-news-redirect.middlewares=https-redirect"
      - "traefik.http.routers.root-1440-news-redirect.priority=10"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      # Local development: HTTP only
      - "traefik.http.routers.app-1440-news-local.rule=Host(`app.1440.localhost`) || Host(`url.1440.localhost`)"
      - "traefik.http.routers.app-1440-news-local.entrypoints=http"
      # Shared service
      - "traefik.http.services.app-1440-news.loadbalancer.server.port=4321"

secrets:
  db_password:
    file: ../postgres/secrets/news_1440_password.txt

networks:
  proxy:
    external: true
  atproto:
    external: true