services:
  traefik:
    image: "traefik:v2.10.4"
    container_name: "traefik"
    privileged: true
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.pukekos.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=pukekos"
      - "--certificatesresolvers.takaheresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.takaheresolver.acme.dnschallenge.provider=cloudflare"
        #      - "--certificatesresolvers.takaheresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.takaheresolver.acme.email=matanhorovitz@protonmail.com"
      - "--certificatesresolvers.takaheresolver.acme.storage=/certs/acme.json"
      - "--certificatesresolvers.takaheresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
    ports:
      - "80:80"
      - "443:443"
      - "8282:8080"
    environment:
      - CF_API_KEY=12fd3e74bd60d39d192ff0e51fa2f6af90402
      - CF_API_EMAIL=matanhorovitz@protonmail.com
      - CF_DNS_API_TOKEN=0dFNYA8qtzVhVtGi4nEb7_aclTOdGthYm5Q7N05n
    volumes:
      - "./certs:/certs"
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks:
      - network
      - internal
      - arr_network
      - filebrowser_network
      - gitea_network
      - vaultwarden_network
      - vikunja_network
      - jellyfin_network
      - joplin_network
      - photoprism_network
      - portainer_network
      - prometheus_network
      - qbittorrent_network
      - syncthing_network
      - wikijs_network
      - wikijs_study_instance_network
      - wireguard_network
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.domain.entrypoints=pukekos"
      - "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
      - "traefik.http.routers.domain.tls.certresolver=takaheresolver"
      - "traefik.http.routers.domain.middlewares=domain"
      - 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
      - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
      - "traefik.http.middlewares.domain.redirectregex.permanent=true"
      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=takaheresolver"
      - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=pukeko.xyz"
        #    user: 1001:1001
  homer:
    image: b4bz/homer
    container_name: homer
    volumes:
      - ./homer/:/www/assets
    ports:
      - 4957:8080
    environment:
      - UID=1000
      - GID=1000
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homer.entrypoints=pukekos"
      - "traefik.http.routers.homer.rule=Host(`dash.pukeko.xyz`)"
      - "traefik.http.routers.homer.service=homer-traefik@docker"
      - "traefik.http.routers.homer.tls.certresolver=takaheresolver"
      - "traefik.http.routers.homer.middlewares=authelia@docker"
    networks:
      - internal
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    environment:
      - TZ=Asia/Jerusalem
        #      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key
    volumes:
      - ./authelia:/config
    restart: unless-stopped
    secrets:
      - hmac
      - private_key
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`auth.pukeko.xyz`)'
      - 'traefik.http.routers.authelia.entrypoints=pukekos'
      - "traefik.http.routers.authelia.service=authelia-traefik@docker"
      - 'traefik.http.routers.authelia.tls=true'
      - "traefik.http.routers.authelia.tls.certresolver=takaheresolver"
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.pukeko.xyz/'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
    networks:
      - internal
    expose:
      - 9091
  redis:
    image: redis:alpine
    container_name: authelia_redis
    volumes:
      - ./redis:/data
    networks:
      - internal
    expose:
      - 6379
    restart: unless-stopped
secrets:
  hmac:
    file: ./authelia/secrets/hmac
  private_key:
    file: ./authelia/secrets/issuer_private_key
networks:
  network:
    driver: bridge
  internal:
    driver: bridge
  arr_network:
    external: true
  filebrowser_network:
    external: true
  gitea_network:
    external: true
      #jekyll_network:
      #    external: true
  jellyfin_network:
    external: true
  joplin_network:
    external: true
  photoprism_network:
    external: true
  podgrab_network:
    external: true
  portainer_network:
    external: true
  prometheus_network:
    external: true
  vaultwarden_network:
    external: true
  vikunja_network:
    external: true
  wikijs_network:
    external: true
  wikijs_study_instance_network:
    external: true
  wireguard_network:
    external: true
  qbittorrent_network:
    external: true
  syncthing_network:
    external: true