services:
  trilium:
    image: ${TRILIUM_IMAGE}
    container_name: trilium
    restart: unless-stopped
    hostname: ${TRILIUM_HOSTNAME}

    environment:
      TZ: ${TZ}

    volumes:
      - ${TRILIUM_DATA_PATH}:/home/node/trilium-data:Z

    expose:
      - "${TRILIUM_HTTP_PORT}"

    networks:
      - proxy

    labels:
      traefik.enable: "true"
      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
    
      # Router HTTPS - dominio principal
      traefik.http.routers.trilium.rule: "Host(`${TRILIUM_DOMAIN_1}`)"
      traefik.http.routers.trilium.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
      traefik.http.routers.trilium.tls: "true"
      traefik.http.routers.trilium.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
    
      # Router HTTPS - dominio secundario (sin redirección)
      traefik.http.routers.trilium-alt.rule: "Host(`${TRILIUM_DOMAIN_2}`)"
      traefik.http.routers.trilium-alt.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
      traefik.http.routers.trilium-alt.tls: "true"
      traefik.http.routers.trilium-alt.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
      traefik.http.routers.trilium-alt.service: "trilium@docker"
    
      # Servicio interno
      traefik.http.services.trilium.loadbalancer.server.port: "${TRILIUM_HTTP_PORT}"
    
      # Middleware solo de headers (sin Authentik)
      traefik.http.routers.trilium.middlewares: "trilium-sec@docker"
    
      traefik.http.middlewares.trilium-sec.headers.stsSeconds: "31536000"
      traefik.http.middlewares.trilium-sec.headers.stsIncludeSubdomains: "true"
      traefik.http.middlewares.trilium-sec.headers.stsPreload: "true"
      traefik.http.middlewares.trilium-sec.headers.contentTypeNosniff: "true"
      traefik.http.middlewares.trilium-sec.headers.frameDeny: "true"

networks:
  proxy:
    external: true