services:
  betterbahn:
    image: ghcr.io/l2xu/betterbahn:latest
    restart: unless-stopped
    pull_policy: always
    networks:
      - dokploy-network
    environment:
      - HOSTNAME=0.0.0.0
      - HOST=0.0.0.0

  betterbahn-proxy:
    image: alpine/socat:latest
    depends_on: [betterbahn]
    restart: unless-stopped
    # Share the app's network namespace so we can reach 127.0.0.1:3000
    network_mode: "service:betterbahn"
    command: ["TCP-LISTEN:8080,fork,reuseaddr", "TCP:127.0.0.1:3000"]
    labels:
    - "traefik.enable=true"
    - "traefik.docker.network=dokploy-network"

    - "traefik.http.services.betterbahn-app.loadbalancer.server.port=8080" # set port the container listenes to
    - "traefik.http.services.betterbahn-app.loadbalancer.server.scheme=http"

    - "traefik.http.routers.betterbahn-app-web.rule=Host(`${PUBLIC_DOMAIN}`)"
    - "traefik.http.routers.betterbahn-app-web.service=betterbahn-app"
    - "traefik.http.routers.betterbahn-app-web.entrypoints=web"
    - "traefik.http.routers.betterbahn-app-web.middlewares=redirect-to-https@file"

    - "traefik.http.routers.betterbahn-app-websecure.rule=Host(`${PUBLIC_DOMAIN}`)"
    - "traefik.http.routers.betterbahn-app-websecure.service=betterbahn-app"
    - "traefik.http.routers.betterbahn-app-websecure.entrypoints=websecure"
    - "traefik.http.routers.betterbahn-app-websecure.tls=true"
    - "traefik.http.routers.betterbahn-app-websecure.tls.certresolver=hetzner"
    - "traefik.http.routers.betterbahn-app-websecure.tls.domains[0].main=${TLS_DOMAIN}"
    - "traefik.http.routers.betterbahn-app-websecure.middlewares=secHeaders@file, autodetectContenttype@file, authentikProd@file"

networks:
  dokploy-network:
    external: true