services:
  # 1. The Database
  guac-db:
    image: postgres:15-alpine
    container_name: guac-db
    user: root
    cpus: 2.0
    mem_limit: "4096m"
    mem_reservation: "1024m"
    restart: unless-stopped
    environment:
      POSTGRESQL_USERNAME: guacamole_user
      POSTGRESQL_PASSWORD: apts22$$
      POSTGRESQL_DB: guacamole_db
    volumes:
      - /docker/guacamole/init:/docker-entrypoint-initdb.d:ro # Loads schema on first boot
      - /docker/guacamole/db:/var/lib/postgresql/data
    networks:
      - guac_internal

  # 2. The "Proxy Daemon" (Translates RDP/SSH to HTML5)
  guacd:
    image: guacamole/guacd
    container_name: guacd
    cpus: 1.0
    mem_limit: "1024m"
    mem_reservation: "256m"
    restart: unless-stopped
    networks:
      - guac_internal
      - guac_ssh

  # 3. The Web Interface
  guacamole:
    image: guacamole/guacamole
    container_name: guacamole
    restart: unless-stopped
    user: root
    cpus: 2.0
    mem_limit: "3072m"       # 3 GB
    mem_reservation: "1024m"
    depends_on:
      - guac-db
      - guacd
    environment:
      GUACD_HOSTNAME: guacd
      POSTGRESQL_HOSTNAME: guac-db
      POSTGRESQL_DATABASE: guacamole_db
      POSTGRESQL_USERNAME: guacamole_user
      POSTGRESQL_PASSWORD: apts22$$
      CATALINA_OPTS: "-Djava.security.egd=file:/dev/./urandom -Xms1g -Xmx2g"
    networks:
      - guac_internal
      - guac_external # Connects to Traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.guac.rule=Host(`ssh.mapletree.email`)"
      - "traefik.http.routers.guac.entrypoints=websecure"
      - "traefik.http.routers.guac.tls=true"
      - "traefik.http.services.guac.loadbalancer.server.port=8080"
      - "traefik.http.routers.guac.tls.certresolver=myresolver"
      - "traefik.docker.network=guac_external"

      # Middleware 1: Redirect
      - "traefik.http.middlewares.guac-redirect.redirectregex.regex=^https://([^/]+)/?$$"
      - "traefik.http.middlewares.guac-redirect.redirectregex.replacement=https://$${1}/guacamole/"

      # Middleware 2: Disable Buffering (Stability Fix)
      - "traefik.http.middlewares.guac-buffer.buffering.maxResponseBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.maxRequestBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.memRequestBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.memResponseBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.retryExpression=IsNetworkError() && Attempts() <= 2"

      # Apply Both
      - "traefik.http.routers.guac.middlewares=guac-redirect,guac-buffer"
networks:
  guac_internal:
    internal: true
  guac_external:
    external: true
  guac_ssh:
    external: true