version: "3.9"

services:
  shelfy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: shelfy-go
    working_dir: /app
    ports:
      - "8090:8080"
      - "2121:2121"
      - "30000-30100:30000-30100"
      - "2222:2222"
    extra_hosts:
      - "dockerhost:host-gateway"
    environment:
      - SHELFY_DATA_DIR=/app/data    # si ton code lit cette var (cf. patch précédent)
    volumes:
      - shelfy_upload:/app/upload
      - shelfy_data:/app/data
      - shelfy_logs:/var/log/shelfy     # <--- MONTE TON FRONT (lecture seule)
 # <-- logs lus par Fail2ban
    labels:
      - traefik.enable=true
      - traefik.docker.network=dokploy-network

      # --- HTTPS direct sur media.canguidev.fr ---
      - traefik.http.routers.media.rule=Host(`media.canguidev.fr`)
      - traefik.http.routers.media.entrypoints=websecure
      - traefik.http.routers.media.tls=true
      - traefik.http.routers.media.tls.certresolver=letsencrypt
      - traefik.http.services.media.loadbalancer.server.port=8080
      - traefik.http.routers.media.service=media

      # --- Redirect HTTP -> HTTPS (AUCUN @file) ---
      - traefik.http.routers.media-redirect.rule=Host(`media.canguidev.fr`)
      - traefik.http.routers.media-redirect.entrypoints=web
      - traefik.http.routers.media-redirect.middlewares=redirect-to-https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

      # --- (facultatif) tes headers WebDAV, ils ne redirigent pas ---
      - traefik.http.routers.shelfy.middlewares=webdav-allow-methods@docker
      - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowmethods=GET,PUT,POST,DELETE,PROPFIND,OPTIONS,LOCK,UNLOCK,HEAD
      - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowheaders=Authorization,Depth,Content-Type,If-Modified-Since,User-Agent,Destination,Overwrite

  dns:
    - 8.8.8.8
    - 1.1.1.1
  restart: unless-stopped
    # ⚠️ Supprime la directive 'command:' ici, l'ENTRYPOINT du Dockerfile s'en charge.

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TZ=Europe/Paris
      - F2B_LOG_TARGET=STDOUT
      - F2B_DB_PURGE_AGE=1d
    volumes:
      - ./fail2ban:/data
      - shelfy_logs:/var/log/shelfy:ro
    restart: unless-stopped

volumes:
  shelfy_upload:
  shelfy_data:
  shelfy_logs: