---
version: "3.8"
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    hostname: traefik
    restart: unless-stopped

   
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
      - DOMAIN_ROOT=${DOMAIN_ROOT}
      
    ports:
      - mode: host
        protocol: tcp
        published: 80
        target: 80
      - mode: host
        protocol: tcp
        published: 443
        target: 443

    volumes:
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./custom:/etc/traefik/custom:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certs:/letsencrypt

    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - 'entrypoints.websecure.http.tls=true'
      - 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
      - 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
      - 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
      - "traefik.http.routers.traefik.service=api@internal"
      - 'traefik.http.routers.traefik.middlewares=strip'
      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
      - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
      - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
      - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
      - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'

    networks:
      - web

  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - authelia_config:/config
      - ./config/configuration.yml:/config/configuration.yml:ro
      - ./config/users_database.yml:/config/users_database.yml:ro

    environment:
      - DOMAIN_ROOT=${DOMAIN_ROOT}
      - TZ=${TIMEZONE}

    networks:
      - web

    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'

    restart: unless-stopped
    healthcheck:
      ## In production the healthcheck section should be commented.
      disable: true

networks:
  web:
    external: true

volumes:
  certs:
    name: certs
    driver: local

  authelia_config:
    name: authelia_config
    driver: local