version: "3.9"

networks:
  traefik_proxy:
    external: true

services:
  private_static:
    image: nginx:alpine
    container_name: private_static
    restart: unless-stopped
    networks:
      - traefik_proxy

    # Host-visible content
    volumes:
      - ./html:/usr/share/nginx/html:ro

    labels:
      - "traefik.enable=true"

      # =========================
      # HTTP → HTTPS redirect
      # =========================
      # Catch http://example.com/private[...] and redirect to https://
      - "traefik.http.routers.private-http.rule=Host(`example.com`) && PathPrefix(`/private`)"
      - "traefik.http.routers.private-http.entrypoints=web"
      - "traefik.http.routers.private-http.middlewares=private-https-redirect"
      - "traefik.http.middlewares.private-https-redirect.redirectscheme.scheme=https"

      # =========================
      # HTTPS router (protected)
      # =========================
      # Serve static files at https://example.com/private[...]
      - "traefik.http.routers.private-https.rule=Host(`example.com`) && PathPrefix(`/private`)"
      - "traefik.http.routers.private-https.entrypoints=websecure"
      - "traefik.http.routers.private-https.tls.certresolver=letsencrypt"

      # Optional: set higher priority if you have a general example.com router
      - "traefik.http.routers.private-https.priority=20"

      # Require Authelia auth before serving anything under /private
      - "traefik.http.routers.private-https.middlewares=authelia-auth@file"