gigafibre-fsm/apps/ops/infra/docker-compose.yaml

# Targo Ops — nginx container served at erp.gigafibre.ca/ops/
# Deploy: docker compose -f docker-compose.yaml up -d
#
# Requires:
#   - Traefik proxy network
#   - Authentik forwardAuth middleware in Traefik
#
# Routing:
#   erp.gigafibre.ca/ops/*  → Traefik → StripPrefix /ops → nginx (static SPA)
#   erp.gigafibre.ca/api/*  → ERPNext directly (same domain, no proxy needed)

services:
  ops-frontend:
    image: nginx:alpine
    container_name: ops-frontend
    restart: unless-stopped
    volumes:
      - /opt/ops-app:/usr/share/nginx/html:ro
      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      # Main router: erp.gigafibre.ca/ops/* with Authentik + StripPrefix
      - "traefik.http.routers.ops.rule=Host(`erp.gigafibre.ca`) && PathPrefix(`/ops`)"
      - "traefik.http.routers.ops.entrypoints=web,websecure"
      - "traefik.http.routers.ops.middlewares=authentik-client@file,ops-strip@docker"
      - "traefik.http.routers.ops.service=ops"
      - "traefik.http.routers.ops.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ops.priority=200"
      # StripPrefix middleware (removes /ops before sending to nginx)
      - "traefik.http.middlewares.ops-strip.stripprefix.prefixes=/ops"
      - "traefik.http.middlewares.ops-strip.stripprefix.forceSlash=false"
      # Authentik outpost callback (required for login redirect)
      - "traefik.http.routers.ops-ak.rule=Host(`erp.gigafibre.ca`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.ops-ak.entrypoints=web,websecure"
      - "traefik.http.routers.ops-ak.middlewares=authentik-client@file"
      - "traefik.http.routers.ops-ak.service=ops"
      - "traefik.http.routers.ops-ak.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ops-ak.priority=250"
      # Service
      - "traefik.http.services.ops.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true