version: '3.8'

services:
  minio:
    image: minio/minio:RELEASE.2024-10-02T17-50-41Z
    container_name: crew-minio-prod
    restart: unless-stopped
    environment:
      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
      MINIO_SERVER_URL: ${MINIO_SERVER_URL:-https://minio.crewsportswear.com}
      MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL:-https://console.crewsportswear.com}
    command: server /data --console-address ":9001"
    volumes:
      - minio-data:/data
    networks:
      - traefik-public
      - crew-app-net
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3
    labels:
      - "traefik.enable=true"
      
      # MinIO API (S3 endpoint)
      - "traefik.http.routers.minio-api.rule=Host(`minio.crewsportswear.com`)"
      - "traefik.http.routers.minio-api.entrypoints=websecure"
      - "traefik.http.routers.minio-api.tls=true"
      - "traefik.http.routers.minio-api.tls.certresolver=le"
      - "traefik.http.routers.minio-api.service=minio-api"
      - "traefik.http.services.minio-api.loadbalancer.server.port=9000"
      
      # MinIO Console (Web UI) - SECURED WITH BASIC AUTH
      - "traefik.http.routers.minio-console.rule=Host(`console.crewsportswear.com`)"
      - "traefik.http.routers.minio-console.entrypoints=websecure"
      - "traefik.http.routers.minio-console.tls=true"
      - "traefik.http.routers.minio-console.tls.certresolver=le"
      - "traefik.http.routers.minio-console.service=minio-console"
      - "traefik.http.routers.minio-console.middlewares=minio-auth"
      - "traefik.http.services.minio-console.loadbalancer.server.port=9001"
      # Basic Auth Middleware (Generate with: htpasswd -nb admin yourpassword)
      # Example: admin:$apr1$xyz... (replace with your own)
      - "traefik.http.middlewares.minio-auth.basicauth.users=${TRAEFIK_CONSOLE_AUTH}"
      
      # HTTP to HTTPS redirect
      - "traefik.http.routers.minio-api-http.rule=Host(`minio.crewsportswear.com`)"
      - "traefik.http.routers.minio-api-http.entrypoints=web"
      - "traefik.http.routers.minio-api-http.middlewares=https-redirect"
      
      - "traefik.http.routers.minio-console-http.rule=Host(`console.crewsportswear.com`)"
      - "traefik.http.routers.minio-console-http.entrypoints=web"
      - "traefik.http.routers.minio-console-http.middlewares=https-redirect"

networks:
  traefik-public:
    external: true
  crew-app-net:
    external: true

volumes:
  minio-data:
    driver: local