From 20ba9952a1d1b50abaf5fc7bec9b702b5b7ac5aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Thu, 27 Nov 2025 12:13:57 +0100
Subject: [PATCH] feat: upscale service

---
 ai/compose.yaml                | 32 ++++++++++++++++++++++++++++++++
 net/authelia/configuration.yml |  3 ++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/ai/compose.yaml b/ai/compose.yaml
index aeafd61..31f9045 100644
--- a/ai/compose.yaml
+++ b/ai/compose.yaml
@@ -247,6 +247,38 @@ services:
       # Watchtower
       - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
+  upscale:
+    image: nginx:alpine
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_upscale
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST}
+      GPU_SERVICE_PORT: ${UPSCALE_BACKEND_PORT:-8080}
+    volumes:
+      - ./nginx.conf.template:/etc/nginx/nginx.conf.template:ro
+    command: /bin/sh -c "envsubst '$${GPU_SERVICE_HOST},$${GPU_SERVICE_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"
+    networks:
+      - compose_network
+    labels:
+      - "traefik.enable=${AI_UPSCALE_TRAEFIK_ENABLED:-true}"
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-upscale-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-upscale-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.rule=Host(`${AI_UPSCALE_TRAEFIK_HOST:-upscale.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.entrypoints=web"
+      # HTTPS router with Authelia SSO
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.rule=Host(`${AI_UPSCALE_TRAEFIK_HOST:-upscale.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure-compress,net-authelia,security-headers@file"
+      # Service
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
+
   # Supervisor UI - Modern web interface for RunPod process management
   supervisor:
     image: dev.pivoine.art/valknar/supervisor-ui:latest
diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index b62357f..e56b5e7 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -77,6 +77,7 @@ access_control:
         - "comfy.ai.pivoine.art"
         - "supervisor.ai.pivoine.art"
         - "audiocraft.ai.pivoine.art"
+        - "upscale.ai.pivoine.art"
       policy: one_factor
 
 # session secret set via environment variable: AUTHELIA_SESSION_SECRET
@@ -84,7 +85,7 @@ session:
   name: "authelia_session"
   same_site: "lax"
   expiration: "1h"
-  inactivity: "5m"
+  inactivity: "15m"
   remember_me: "1M"
   cookies:
     - domain: "pivoine.art"