services:
  guacd:
    image: guacamole/guacd:latest
    container_name: ${GUACD_NAME}
    restart: always
    cpus: 1.0
    mem_limit: "1024m"
    mem_reservation: "256m"
    networks:
      - guac_internal
      - guac_ssh

  guacamole:
    image: guacamole/guacamole:latest
    container_name: guac-node${GUAC_NODE_ID}
    restart: always
    user: root
    ports:
      - 8080:8080
    cpus: 2.0
    mem_limit: "3072m"       # 3 GB
    mem_reservation: "1024m"
    environment:
      - GUACD_HOSTNAME=${GUACD_NAME}
      - MYSQL_HOSTNAME=${GUAC_DB_HOST}
      - MYSQL_PORT=${GUAC_DB_PORT}
      - MYSQL_DATABASE=${GUAC_DB_NAME}
      - MYSQL_USER=${GUAC_DB_USER}
      - MYSQL_PASSWORD=${GUAC_DB_PASS}
      - MYSQL_SSL_MODE=disabled
      - CATALINA_OPTS="-Djava.security.egd=file:/dev/./urandom -Xms1g -Xmx2g"
    depends_on:
      - ${GUACD_NAME}
    #networks:
      - guac_internal
      - guac_external
    labels:
      - "traefik.enable=${GUAC_TRAEFIK_ENABLED}"
      - "traefik.docker.network=guac_external"
      # --- NODE-SPECIFIC ADMIN ROUTER (The Backdoor) ---
      - "traefik.http.routers.guac-admin-${GUAC_NODE_ID}.rule=Host(`guac${GUAC_NODE_ID}.${TRAEFIK_DNS_SUFFIX}`)"
      - "traefik.http.routers.guac-admin-${GUAC_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
      - "traefik.http.routers.guac-admin-${GUAC_NODE_ID}.service=guac-common-service"
      - "traefik.http.routers.guac-admin-${GUAC_NODE_ID}.tls=true"
    # --- SHARED HA ROUTER (The Main URL) ---
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.rule=Host(`guac.${TRAEFIK_DNS_SUFFIX}`)"
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.service=guac-common-service"
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.tls=true"
      # --- THE SHARED SERVICE ---
      # Identical name on both containers creates the Load Balanced pool
      - "traefik.http.services.guac-common-service.loadbalancer.server.port=8080"
      # Middleware 1: Redirect
      - "traefik.http.middlewares.guac-redirect.redirectregex.regex=^https://([^/]+)/?$$"
      - "traefik.http.middlewares.guac-redirect.redirectregex.replacement=https://$${1}/guacamole/"
      # Middleware 2: Disable Buffering (Stability Fix)
      - "traefik.http.middlewares.guac-buffer.buffering.maxResponseBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.maxRequestBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.memRequestBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.memResponseBodyBytes=0"
      - "traefik.http.middlewares.guac-buffer.buffering.retryExpression=IsNetworkError() && Attempts() <= 2"
      # --- Apply to the SHARED Router ---
      - "traefik.http.routers.guac-shared-${GUAC_NODE_ID}.middlewares=guac-redirect,guac-buffer"
      # --- Apply to the NODE-SPECIFIC Admin Router ---
      - "traefik.http.routers.guac-admin-${GUAC_NODE_ID}.middlewares=guac-redirect,guac-buffer"
      # Add this to the service labels to prevent "session jumping"
      - "traefik.http.services.guac-common-service.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.guac-common-service.loadbalancer.sticky.cookie.name=guac_session"




networks:
  guac_internal:
    internal: true
  guac_external:
    driver: bridge
  guac_ssh:
    external: true