From 4a09dce2c0b49a8d59991b9eb9d72f6b436c0767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Mon, 16 Feb 2026 15:51:06 +0100
Subject: [PATCH] Add api stack with freepik and facefusion behind forwardAuth

Traefik routes api.pivoine.art/freepik and /facefusion to their
respective containers with path rewriting, shared API token auth
via an nginx sidecar, and api-rate-limit middleware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 api/auth.conf.template |  9 +++++
 api/compose.yml        | 74 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 api/auth.conf.template
 create mode 100644 api/compose.yml

diff --git a/api/auth.conf.template b/api/auth.conf.template
new file mode 100644
index 0000000..648a2c5
--- /dev/null
+++ b/api/auth.conf.template
@@ -0,0 +1,9 @@
+server {
+    listen 8080;
+    location / {
+        if ($http_x_api_key != '${API_TOKEN}') {
+            return 401;
+        }
+        return 200;
+    }
+}
diff --git a/api/compose.yml b/api/compose.yml
new file mode 100644
index 0000000..fa0600a
--- /dev/null
+++ b/api/compose.yml
@@ -0,0 +1,74 @@
+services:
+  auth:
+    image: nginx:alpine
+    container_name: api_auth
+    volumes:
+      - ./auth.conf.template:/etc/nginx/templates/default.conf.template:ro
+    environment:
+      - API_TOKEN=${API_TOKEN}
+    restart: always
+    networks:
+      - compose_network
+
+  freepik:
+    image: dev.pivoine.art/valknar/freepik-api:latest
+    container_name: api_freepik
+    environment:
+      - FP_FREEPIK_API_KEY=${FP_FREEPIK_API_KEY}
+      - FP_WEBHOOK_SECRET=${FP_WEBHOOK_SECRET}
+    volumes:
+      - ../.data/api/freepik/outputs:/app/outputs
+      - ../.data/api/freepik/temp:/app/temp
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.api-auth.forwardauth.address=http://api_auth:8080"
+      - "traefik.http.middlewares.api-freepik-strip.stripprefix.prefixes=/freepik"
+      - "traefik.http.middlewares.api-freepik-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-freepik-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web.entrypoints=web"
+      - "traefik.http.routers.api-freepik-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-freepik-web-secure.middlewares=api-auth,api-freepik-strip,api-freepik-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-freepik-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+  facefusion:
+    image: dev.pivoine.art/valknar/facefusion-api:latest
+    container_name: api_facefusion
+    environment:
+      - FF_EXECUTION_PROVIDERS=["cpu"]
+    volumes:
+      - ../.data/api/facefusion/uploads:/app/uploads
+      - ../.data/api/facefusion/outputs:/app/outputs
+      - ../.data/api/facefusion/models:/app/models
+      - ../.data/api/facefusion/temp:/app/temp
+      - ../.data/api/facefusion/jobs:/app/jobs
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-facefusion-strip.stripprefix.prefixes=/facefusion"
+      - "traefik.http.middlewares.api-facefusion-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-facefusion-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web.entrypoints=web"
+      - "traefik.http.routers.api-facefusion-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-facefusion-web-secure.middlewares=api-auth,api-facefusion-strip,api-facefusion-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-facefusion-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true