services:
  traefik:
    image: traefik:v3.0.2
    container_name: traefik
    restart: unless-stopped
    cap_add:
      - NET_BIND_SERVICE
    security_opt:
      - no-new-privileges:true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.options=default"
      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik/traefik.yaml:/traefik.yml:ro
      - ./data/traefik/acme.json:/acme.json
      - ./data/logs/stdout.log:/data/stdout.log:rw
      - ./data/logs/access.log:/data/access.log:rw
    ports:
      - 80:80
      - 443:443
    networks:
      - webproxy
      - authelia

  authelia:
    container_name: authelia
    image: authelia/authelia:4.38.8
    restart: unless-stopped
    healthcheck:
      disable: true
    command:
      - 'authelia'
      - '--config=/config/configuration.yml'
      - '--config=/config/access_control.yml'
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=webproxy"
      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
      - "traefik.http.routers.authelia.entrypoints=https"
      - "traefik.http.routers.authelia.tls=true"
      - "traefik.http.routers.authelia.tls.certresolver=letsEncrypt"
      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.${DOMAIN}%2F'
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email"
      - "traefik.http.routers.authelia.middlewares=redirect-to-https"
    environment:
      TZ: "Asia/Novosibirsk"
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /secrets/smtp-pass.key
    volumes:
      - ./data/authelia:/config
      - ./data/authelia/secrets:/secrets
    networks:
      - webproxy
      - authelia

  redis:
    image: redis:alpine
    restart: unless-stopped
    container_name: redis
    volumes:
      - ./data/redis:/data
    networks:
      - authelia

  nginx1:
    image: nginx
    restart: unless-stopped
    container_name: nginx1
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=webproxy"
      - "traefik.http.routers.nginx.rule=Host(`test1.${DOMAIN}`)"
      - "traefik.http.routers.nginx.entrypoints=https"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.certresolver=letsEncrypt"
      - "traefik.http.routers.nginx.middlewares=authelia@docker"
    networks:
      - authelia
      - webproxy

networks:
  authelia:
    name: authelia-net
  webproxy:
    name: webproxy