services:
  kochwas:
    # Image wird via Gitea Actions gebaut und in die Gitea-Container-Registry gepusht.
    # Tag-Override per Umgebungsvariable: KOCHWAS_TAG=sha-abcd1234 docker compose pull
    image: gitea.siegeln.net/claude/kochwas:${KOCHWAS_TAG:-latest}
    pull_policy: always
    volumes:
      - ./data:/data
    environment:
      - DATABASE_PATH=/data/kochwas.db
      - IMAGE_DIR=/data/images
      - SEARXNG_URL=http://searxng:8080
      - NODE_ENV=production
    depends_on:
      - searxng
    restart: unless-stopped
    networks:
      - proxy
      - internal
    labels:
      - "traefik.enable=true"
      # Router for HTTPS traffic
      - "traefik.http.routers.kochwas.rule=Host(`kochwas.siegeln.net`)"
      - "traefik.http.routers.kochwas.entrypoints=websecure"
      - "traefik.http.routers.kochwas.tls.certresolver=cloudflareResolver"
      # Specify which port Traefik should forward traffic to inside the container
      - "traefik.http.services.kochwas.loadbalancer.server.port=3000"
      # Explicitly tell Traefik which network to use (since kochwas is on two networks)
      - "traefik.docker.network=proxy"

  searxng:
    # Absichtlich nur intern erreichbar — keine Traefik-Labels, kein externer Port.
    image: searxng/searxng:latest
    volumes:
      - ./searxng:/etc/searxng
    environment:
      - BASE_URL=http://searxng:8080/
      - INSTANCE_NAME=kochwas-search
    restart: unless-stopped
    networks:
      - internal

networks:
  proxy:
    # Muss dem Namen des externen Traefik-Netzwerks entsprechen (ggf. in `name:` ändern).
    external: true
  internal:
    # Eigenes internes Netz für kochwas ↔ searxng. Wird von Compose automatisch angelegt.
    driver: bridge