# Core Infrastructure Services
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

services:
  
  duckdns:
    # Dynamic DNS service - must always run to maintain domain resolution
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ./duckdns/config:/config
    networks:
      - traefik-network
  
  traefik:
    # Reverse proxy and SSL termination - core routing service, must always run
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command: ['--configFile=/config/traefik.yml']
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./traefik/config:/config
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/dynamic:/dynamic
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=core'
      - 'homelab.description=Reverse proxy and SSL termination'
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)'
      - 'traefik.http.routers.traefik.entrypoints=websecure'
      - 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.traefik.middlewares=authelia@docker'
      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'

  authelia:
    # Single sign-on authentication service - must always run for user authentication
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - TZ=${TZ}
    ports:
      - '9091:9091'
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
    networks:
      - traefik-network
    depends_on:
      - traefik
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=core'
      - 'homelab.description=Single sign-on authentication'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)'
      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.authelia.service=authelia'
      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
      # Authelia forward auth middleware configuration
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'

  pihole:
    image: pihole/pihole:2024.01.0
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
          pids: 256
        reservations:
          cpus: '0.10'
          memory: 64M
    container_name: pihole
    restart: unless-stopped
    networks:
      - traefik-network
    ports:
      - '53:53/tcp'    # DNS TCP
      - '53:53/udp'    # DNS UDP
    volumes:
      - ./pihole/etc-pihole:/etc/pihole
      - ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=${PIHOLE_PASSWORD}
      - FTLCONF_LOCAL_IPV4=192.168.4.4
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=infrastructure'
      - 'homelab.description=Network-wide ad blocking and DNS'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
      #   - COMMENT OUT all traefik.* labels below (don't delete them)
      #   - Routes are configured via external YAML files on the core server
      #   - This prevents conflicts between Docker labels and file provider
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      - 'traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)'
      - 'traefik.http.routers.pihole.entrypoints=websecure'
      - 'traefik.http.routers.pihole.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.pihole.middlewares=authelia@docker'
      - 'traefik.http.services.pihole.loadbalancer.server.port=80'

networks:
  traefik-network:
    external: true

x-dockge:
  urls:
    - https://auth.${DOMAIN}
    - http://${SERVER_IP}:9091
    - https://traefik.${DOMAIN}
    - http://${SERVER_IP}:8080
    - https://pihole.${DOMAIN}
    - http://${SERVER_IP}:53