# VPN Stack
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

services:
  # Gluetun - VPN client (Surfshark)
  # Routes download clients through VPN for security
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - homelab-network
      - traefik-network
    ports:
      - '8888:8888/tcp'  # HTTP proxy
      - '8388:8388/tcp'  # Shadowsocks
      - '8388:8388/udp'  # Shadowsocks
      - '8081:8080'      # qBittorrent web UI
      - '6881:6881'      # qBittorrent
      - '6881:6881/udp'  # qBittorrent
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=surfshark
      - VPN_TYPE=openvpn
      - OPENVPN_USER=${SURFSHARK_USERNAME}
      - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD}
      - SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES}
      - TZ=${TZ}
    # TRAEFIK CONFIGURATION
    labels:
      # Service metadata
      - 'com.centurylinklabs.watchtower.enable=true'
      - 'homelab.category=downloaders'
      - 'homelab.description=VPN client for secure downloads'
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      # Router configuration
      - 'traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.${DOMAIN}`)'
      - 'traefik.http.routers.qbittorrent.entrypoints=websecure'
      - 'traefik.http.routers.qbittorrent.tls=true'
      - 'traefik.http.routers.qbittorrent.middlewares=authelia@docker'
      # Service configuration
      - 'traefik.http.services.qbittorrent.loadbalancer.server.port=8081'
      # Sablier configuration
      - 'sablier.enable=true'
      - 'sablier.group=jasper-qbittorrent'
      - 'sablier.sessionDuration=1h'

  # qBittorrent - Torrent client
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
          pids: 1024
        reservations:
          cpus: '0.50'
          memory: 256M
    container_name: qbittorrent
    restart: unless-stopped
    network_mode: 'service:gluetun'  # Routes through VPN in same compose file
    volumes:
      - ./qbittorrent/config:/config
      - ${DOWNLOAD_DIR}:/downloads
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - WEBUI_PORT=8080
    depends_on:
      - gluetun

networks:
  homelab-network:
    external: true
  traefik-network:
    external: true

x-dockge:
  urls:
    - https://qbittorrent.${DOMAIN}
    - https://192.168.4.4:8081