AZ-NIX/hosts/AZ-CLD-1/services/containers/baserow.nix

{
  config,
  lib,
  ...
}: let
  serviceName = "baserow";
  portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
  servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
  virtualisation.oci-containers.containers.${serviceName} = {
    image = "docker.io/baserow/baserow:2.1.6";
    environment = {
      BASEROW_AMOUNT_OF_GUNICORN_WORKERS = "4";
      BASEROW_AMOUNT_OF_WORKERS = "2";
      DATABASE_CONN_MAX_AGE = "60";
      # Proxy: tell Django the connection is HTTPS so cookies get Secure flag
      BASEROW_ENABLE_SECURE_PROXY_SSL_HEADER = "yes";
      # Published apps run on different origins — allow cross-origin cookie delivery
      BASEROW_FRONTEND_SAME_SITE_COOKIE = "none";
      # Valid base domain for published app subdomains
      BASEROW_BUILDER_DOMAINS = "az-gruppe.com";
      # Disable Caddy's on_demand TLS — Traefik handles TLS termination
      BASEROW_CADDY_GLOBAL_CONF = "auto_https off";
    };
    environmentFiles = [config.age.secrets.baserow-env.path];
    ports = ["127.0.0.1:${toString servicePort}:80"];
    volumes = ["baserow_data:/baserow/data"];
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
  };

  # Traefik configuration
  services.traefik.dynamicConfigOptions.http = {
    services.${serviceName}.loadBalancer.servers = [
      {
        url = "http://localhost:${toString servicePort}/";
      }
    ];

    middlewares."${serviceName}-headers".headers = {
      customRequestHeaders = {
        X-Forwarded-Proto = "https";
        X-Forwarded-Port = "443";
      };
    };

    routers.${serviceName} = {
      rule = "Host(`br.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
      middlewares = ["${serviceName}-headers"];
    };

    routers.azubi = {
      rule = "Host(`azubi.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
      middlewares = ["${serviceName}-headers"];
    };
    routers.ausbilder = {
      rule = "Host(`ausbilder.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
      middlewares = ["${serviceName}-headers"];
    };
  };
}