x-dockge:
  urls:
    - https://auth.${DOMAIN}

services:
  
  duckdns:
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ./duckdns/config:/config
    networks:
      - traefik-network
  
  traefik:
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command: ["--configFile=/config/traefik.yml"]
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./traefik/config:/config
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/dynamic:/dynamic
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "homelab.category=dashboards"
      - "homelab.description=Personal dashboard and service overview"
      - "x-dockge.url=https://traefik.${DOMAIN}"

  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - TZ=${TZ}
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
    networks:
      - traefik-network
    depends_on:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls.certresolver=letsencrypt
      - traefik.http.routers.authelia.service=authelia
      - traefik.http.services.authelia.loadbalancer.server.port=9091
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - x-dockge.url=https://auth.${DOMAIN}

  dockerproxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: dockerproxy
    privileged: true
    restart: unless-stopped
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - SERVICES=1
      - TASKS=1
      - NETWORKS=1
      - NODES=1
    labels:
      - homelab.category=infrastructure
      - homelab.description=Docker socket proxy for security

  # Sablier - Lazy loading service for Docker containers
  sablier-service:
    image: sablierapp/sablier:latest
    container_name: sablier-service
    restart: unless-stopped
    networks:
      - traefik-network
    environment:
      - SABLIER_PROVIDER=docker
      - SABLIER_DOCKER_API_VERSION=1.53
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_LOG_LEVEL=debug
      - DOCKER_HOST=tcp://192.168.4.11:2375
    ports:
      - 10000:10000
    labels:
      - homelab.category=infrastructure
      - homelab.description=Lazy loading service for Docker containers

networks:
  traefik-network:
    external: true