services:
  photo-server:
    build: .
    container_name: eink-photo-server
    restart: unless-stopped
    networks:
      - webgateway
    volumes:
      - photos:/photos
      - state:/data
    environment:
      - TZ=America/Chicago
    labels:
      - "traefik.enable=true"
      # HTTPS
      - "traefik.http.routers.photos-websecure.rule=Host(`photos.haunt.house`)"
      - "traefik.http.routers.photos-websecure.entryPoints=websecure"
      - "traefik.http.routers.photos-websecure.tls.certresolver=myresolver"
      - "traefik.http.routers.photos-websecure.middlewares=hsts,google-auth@docker"
      # HTTP redirect
      - "traefik.http.routers.photos-http.rule=Host(`photos.haunt.house`)"
      - "traefik.http.routers.photos-http.entryPoints=web"
      - "traefik.http.routers.photos-http.middlewares=redirect-https"
      # Internal port
      - "traefik.http.services.photos.loadbalancer.server.port=8473"
      # ESP32 endpoint — no auth (frame can't do OAuth)
      - "traefik.http.routers.photos-frame.rule=Host(`photos.haunt.house`) && (Path(`/photo`) || Path(`/heartbeat`))"
      - "traefik.http.routers.photos-frame.entryPoints=websecure"
      - "traefik.http.routers.photos-frame.tls.certresolver=myresolver"
      - "traefik.http.routers.photos-frame.middlewares=hsts"
      - "traefik.http.routers.photos-frame.priority=100"
      - "traefik.http.routers.photos-frame.service=photos"

networks:
  webgateway:
    external: true

volumes:
  photos:
  state: