version: "3.9"

networks:
  traefik_proxy:
    external: true

services:
  protected_static:
    image: nginx:alpine
    container_name: protected_static
    restart: unless-stopped
    networks:
      - traefik_proxy

    # Bind-mounted static content stored natively on the host
    volumes:
      - ./html:/usr/share/nginx/html:ro

    labels:
      - "traefik.enable=true"

      # --------------------------
      # HTTP → HTTPS redirect
      # --------------------------
      - "traefik.http.routers.psite-http.rule=Host(`secure.example.com`)"
      - "traefik.http.routers.psite-http.entrypoints=web"
      - "traefik.http.routers.psite-http.middlewares=psite-https-redirect"
      - "traefik.http.middlewares.psite-https-redirect.redirectscheme.scheme=https"

      # --------------------------
      # HTTPS router
      # --------------------------
      - "traefik.http.routers.psite-https.rule=Host(`secure.example.com`)"
      - "traefik.http.routers.psite-https.entrypoints=websecure"
      - "traefik.http.routers.psite-https.tls.certresolver=letsencrypt"

      # --------------------------
      # Authelia protection
      # --------------------------
      - "traefik.http.routers.psite-https.middlewares=authelia-auth@file"