# ==============================================================================
# OGNIRNAS - INFRAESTRUCTURA CORE: TRAEFIK V3 & DOCKER-SOCKET-PROXY
# ==============================================================================
# Última revisión: 2026-01-06 (Fase: Auditoría y Seguridad Activa)
# Propietario: Ognir (UID 1032 / GID 100)
# ==============================================================================

version: "3.9"

services:
  # ----------------------------------------------------------------------------
  # SERVICE: traefik-socket-proxy
  # Cortafuegos para el socket de Docker. Aísla a Traefik del motor del NAS.
  # ----------------------------------------------------------------------------
  traefik-socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: traefik-socket-proxy
    restart: always
    networks:
      - services-internal-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - NETWORKS=1
      - SERVICES=1
      - VERSION=1
      - EVENTS=1

  # ----------------------------------------------------------------------------
  # SERVICE: traefik (v3.0)
  # Reverse Proxy con TLS, Dashboard seguro y registro de actividad (Logs).
  # ----------------------------------------------------------------------------
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: always
    user: "1032:100"
    depends_on:
      traefik-socket-proxy:
        condition: service_started
    
    networks:
      proxy-macvlan-net:
        ipv4_address: 192.168.178.25 # IP fija en red local (Fritz!Box)
      services-internal-net: {}

    volumes:
      - /volume1/docker/configs/traefik:/etc/traefik:ro
      - /volume1/docker/data/traefik:/letsencrypt
      - /volume1/docker/data/traefik/logs:/var/log/traefik # Persistencia de logs

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=services-internal-net"
      
      # --- ROUTER DASHBOARD ---
      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
      - "traefik.http.routers.traefik-dash.tls=true"
      - "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-dash.service=api@internal"
      
      # --- MIDDLEWARES (SEGURIDAD REFORZADA) ---
      # Primero Auth (Login) y luego Headers de seguridad.
      - "traefik.http.routers.traefik-dash.middlewares=auth-dashboard@file,security-headers@file"

    command:
      - "--configFile=/etc/traefik/traefik.yml"
      # --- CONFIGURACIÓN DEL VIGILANTE (ACCESS LOGS) ---
      # Activa el registro de cada petición que llega desde internet.
      - "--accesslog=true"
      # Ruta interna (mapeada al volumen data/traefik/logs)
      - "--accesslog.filepath=/var/log/traefik/access.log"
      # Buffering para no castigar el disco/SSD del NAS constantemente
      - "--accesslog.bufferingsize=100"

# ------------------------------------------------------------------------------
# REDES EXTERNAS
# ------------------------------------------------------------------------------
networks:
  proxy-macvlan-net:
    external: true
  services-internal-net:
    external: true