version: "3.9"

secrets:
  authelia_jwt_secret:
    file: $SECRETSDIR/authelia_jwt_secret
  authelia_session_secret:
    file: $SECRETSDIR/authelia_session_secret
  authelia_storage_postgres_password:
    file: $SECRETSDIR/authelia_storage_postgres_password
  authelia_storage_encryption_key_file:
    file: $SECRETSDIR/authelia_storage_encryption_key_file
  authelia_notifier_smtp_password:
    file: $SECRETSDIR/authelia_notifier_smtp_password
  authelia_duo_api_secret_key:
    file: $SECRETSDIR/authelia_duo_api_secret_key


########################### EXTENSION FIELDS ##########################
# Helps eliminate repetition of sections
# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
#######################################################################
x-environment: &default-tz-puid-pgid
  - TZ=$TZ
  - PUID=$PUID
  - PGID=$PGID

x-common-keys-monitoring: &common-keys-monitoring
  networks:
    - backend
  security_opt:
    - no-new-privileges:true
  restart: always

services:


  reverse-proxy:
    # The official v2.0 Traefik docker image
    image: traefik:v2.9
    container_name: "traefik"
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    restart: unless-stopped
    networks:
      - backend
      - frontend
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # Influx
      - "8086:8086"
      # Mqtt
      - "9001:9001"
      - "8883:8883"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./traefik:/rules
      - ./static_config.yml:/etc/traefik/static_config.yml
        #      - "./log.json:/etc/traefik/log.json"
        #- ./acme.json:/acme.json
      - ./letsencrypt/acme.json:/letsencrypt/acme.json
      - ${DIR}/traefik/log:/log
    environment:
      - CF_API_EMAIL=simon@milvert.com
      - CF_API_KEY=48d9ae3752afb6e73d99d23c432ba8e38b24c
      - CLOUDFLARE_IPS
      - LOCAL_IPS
    labels:
      - diun.enable=true
      - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file"
    dns:
      - 8.8.8.8

  authelia:
    image: authelia/authelia:4
    container_name: authelia
    volumes:
      - ./authelia:/config
      - ./notify.txt:/tmp/authelia/notification.txt
    networks:
      - backend
      - frontend
    ports:
      # The HTTP port
      - "9091:9091"
    environment:
      - TZ=$TZ
      - PUID=$PUID
      - PGID=$PGID
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
      - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE=/run/secrets/authelia_storage_postgres_password
      #- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key_file
    labels:
      - diun.enable=true
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.entrypoints=web-secure"
      - "traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)"
      - "traefik.http.services.authelia-service.loadbalancer.server.port=9091"
      - "traefik.http.routers.authelia.tls.certresolver=milvert_dns"
      - "traefik.http.routers.authelia.tls=true"
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.${DOMAIN}"  # yamllint disable-line rule:line-length
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"  # yamllint disable-line rule:line-length
    secrets:
      - authelia_jwt_secret
      - authelia_session_secret
      - authelia_storage_postgres_password
      - authelia_notifier_smtp_password
      - authelia_duo_api_secret_key
      - authelia_storage_encryption_key_file


######################### DATABASE ############################
#
#  DATABASE
#
###############################################################

  db:
    image: mariadb:10.5.6
    container_name: mariaDB
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    restart: always
    networks:
      - backend
    volumes:
      - ${DIR}/database:/var/lib/mysql:rw
    ports:
      - "3307:3306"
    labels:
      - diun.enable=true
      - "traefik.enable=false"
    environment:
      - PUID=${UID}
      - PGID=${GID}
      - TZ=${TZ}
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_USER=${MYSQL_USERNAME}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}

  web_db:
    image: adminer
    container_name: adminer
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    restart: always
    networks:
      - backend
    labels:
      - diun.enable=true
      - "traefik.enable=true"
      - "traefik.http.middlewares.webdb-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
      - "traefik.http.routers.webdb-secure.middlewares=webdb-mid"
      - "traefik.http.routers.webdb-secure.entrypoints=web-secure"
      - "traefik.http.routers.webdb-secure.rule=Host(`webdb.${DOMAIN}`)"
      - "traefik.http.routers.webdb-secure.tls.certresolver=milvert_dns"
      - "traefik.http.routers.webdb-secure.tls=true"
      - "traefik.http.services.webdb-service.loadbalancer.server.port=8080"
    depends_on:
      - db
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_USER=${MYSQL_USERNAME}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - PMA_ARBITRARY=1

  postgres:
    image: postgres:15
    container_name: postgres
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    restart: always
    networks:
      - backend
    volumes:
      - ${DIR}/database_pg/data:/var/lib/postgresql/data
    labels:
      - diun.enable=true
      - "traefik.enable=false"
    environment:
      - PUID=${UID}
      - PGID=${GID}
      - TZ=${TZ}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}


  pgadmin:
    container_name: pgadmin_container
    image: dpage/pgadmin4
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    environment:
      PUID: ${UID}
      PGID: ${GID}
      TZ: ${TZ}
      PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL}
      PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD}
    volumes:
      - ${DIR}/database_pg/pgadmin:/root/.pgadmin
    networks:
      - backend
    restart: unless-stopped
    depends_on:
      - postgres
    labels:
      - diun.enable=true
      - "traefik.enable=true"
      #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
      # # # - "traefik.http.routers.webpg-secure.middlewares=webpg-mid"
      - "traefik.http.routers.webpg-secure.entrypoints=web-secure"
      - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)"
      - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns"
      - "traefik.http.routers.webpg-secure.tls=true"
      #- "traefik.http.services.webpg-service.loadbalancer.server.port=8080"

  redis:
    image: redis:7.0-alpine
    container_name: redis
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "3"
    restart: always
    networks:
      - backend
    volumes:
        - ${DIR}/redis:/var/lib/redis
        #entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru
    labels:
      - diun.enable=true
networks:
  frontend:
    external: true
  backend:
    external: false