# nginx-proxy — TLS reverse proxy (HTTPS + MQTT-TLS)
# Networks: edge (port publisher) + app (proxy targets)
# Publishes: 80, 443, 8883 on the host

services:
  nginx-proxy:
    image: nginx:1.27-alpine
    restart: unless-stopped
    networks: [edge, app]
    ports:
      - "80:80"
      - "443:443"
      - "8883:8883"    # MQTT-TLS via stream{} block
    volumes:
      - ./config/conf.d:/etc/nginx/conf.d:ro
      - ./config/stream.d:/etc/nginx/stream.d:ro
      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
      - nginx-certs:/etc/nginx/certs:ro
    # TODO: SSL strategy (acme-companion sidecar vs certbot vs internal PKI)

networks:
  edge:
  app:

volumes:
  nginx-certs: