version: "3.3"

services:

  traefik:
    image: "traefik:v2.6"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare"
        #- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.pukekoresolver.acme.email=matanhorovitz@protonmail.com"
      - "--certificatesresolvers.pukekoresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.pukekoresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
    ports:
      - "80:80"
      - "443:443"
      - "8282:8080"
    environment:
      - CF_API_KEY=12fd3e74bd60d39d192ff0e51fa2f6af90402
      - CF_API_EMAIL=matanhorovitz@protonmail.com
      - CF_DNS_API_TOKEN=0dFNYA8qtzVhVtGi4nEb7_aclTOdGthYm5Q7N05n
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - traefik_network
      - arr_network
      - filebrowser_network
      - gitea_network
      - grocy_network
      - vaultwarden_network
      - vikunja_network
      - freshrss_network
      - jekyll_network
      - jellyfin_network
      - joplin_network
      - photoprism_network
      - podgrab_network
      - portainer_network
      - prometheus_network
      - qbittorrent_network
      - syncthing_network
      - wikijs_network
      - wireguard_network 
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.domain.entrypoints=websecure"
      - "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
      - "traefik.http.routers.domain.service=noop@internal"
      - "traefik.http.routers.domain.tls.certresolver=pukekoresolver"
      - "traefik.http.routers.domain.middlewares=domain"
      - 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
      - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
      - "traefik.http.middlewares.domain.redirectregex.permanent=true"
  homer:
    image: b4bz/homer
    container_name: homer
    volumes:
      - /Red-Vol/Media/Containers/homer/assets/:/www/assets
    ports:
      - 4957:8080
    environment:
      - UID=1000
      - GID=1000
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homer.entrypoints=websecure"
      - "traefik.http.routers.homer.rule=Host(`dash.pukeko.xyz`)"
      - "traefik.http.routers.homer.service=homer-traefik@docker"
      - "traefik.http.routers.homer.tls.certresolver=pukekoresolver"
      - "traefik.http.routers.homer.middlewares=authelia@docker"
    networks:
      - traefik_network
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    environment:
      - TZ=Asia/Jerusalem
      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key
    volumes:
      - ./authelia:/config
    restart: unless-stopped
    secrets:
      - hmac
      - private_key
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`auth.pukeko.xyz`)'
      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.pukeko.xyz/'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
    expose:
      - 9091
    networks:
      - traefik_network
secrets:
  hmac:
    file: ./authelia/secrets/hmac
  private_key:
    file: ./authelia/secrets/issuer_private_key
networks:
  traefik_network:
    driver: bridge
  traefik_internal:
    driver: bridge
  arr_network:
    external: true
  filebrowser_network:
    external: true
  freshrss_network:
    external: true
  gitea_network:
    external: true
  grocy_network:
    external: true
  jekyll_network:
    external: true
  jellyfin_network:
    external: true
  joplin_network:
    external: true
  photoprism_network:
    external: true
  podgrab_network:
    external: true
  portainer_network:
    external: true
  prometheus_network:
    external: true
  vaultwarden_network:
    external: true
  vikunja_network:
    external: true
  wikijs_network:
    external: true
  wireguard_network:
    external: true
  qbittorrent_network:
    external: true
  syncthing_network:
    external: true