services:
  traefik:
    image: traefik
    container_name: traefik
    restart: unless-stopped
    cap_add:
      - NET_BIND_SERVICE
    security_opt:
      - no-new-privileges:true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.lab.realmanual.ru`)"
      - "traefik.http.routers.traefik.tls=true"
      - 'traefik.http.routers.traefik.tls.options=default'
      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
      - 'traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik'
      - 'traefik.http.middlewares.tinyauth.forwardauth.trustForwardHeader=true'
      - 'traefik.http.routers.traefik.middlewares=tinyauth'
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./logs/stdout.log:/data/stdout.log:rw
      - ./logs/access.log:/data/access.log:rw
    ports:
      - 80:80
      - 443:443
    networks:
      - webproxy

  tinyauth:
    container_name: tinyauth-ggsel
    image: ghcr.io/steveiliop56/tinyauth:v3
    restart: unless-stopped
    environment:
      - SECRET=dfmGGllQXsQ7U8KbJ47etByrVqWuiKvo
      - APP_URL=https://tinyauth.lab.realmanual.ru
      # - USERS=admin:$$2a$$10$$arlbhE48xDt58L3a5aZc6.j4tGWrandXjwCPBUh8RzJI6ZeuA6Psy:UE27NIYXVISBMGEKG4UXJVWAS5W3TNZC # pass: pa4803w0rd + TOTP
      - USERS=admin:$$2a$$10$$arlbhE48xDt58L3a5aZc6.j4tGWrandXjwCPBUh8RzJI6ZeuA6Psy # pass: pa4803w0rd
      - DISABLE_CONTINUE=true
      - APP_TITLE=My best auth
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.tinyauth.entrypoints=https'
      - "traefik.http.routers.tinyauth.tls.certresolver=letsEncrypt"
      - 'traefik.http.routers.tinyauth.tls=true'
      - 'traefik.http.routers.tinyauth.rule=Host(`tinyauth.lab.realmanual.ru`)'
      - "traefik.docker.network=webproxy"
    networks:
      - webproxy

  whoami:
    image: traefik/whoami:latest
    container_name: app1
    restart: unless-stopped
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.whoami.entrypoints=https'
      - "traefik.http.routers.whoami.tls.certresolver=letsEncrypt"
      - 'traefik.http.routers.whoami.tls=true'
      - 'traefik.http.routers.whoami.rule=Host(`app1.lab.realmanual.ru`)'
      - 'traefik.http.routers.whoami.middlewares=tinyauth'
      - "traefik.docker.network=webproxy"
    networks:
      - webproxy

networks:
  webproxy:
    name: webproxy