# Core Infrastructure Services
# These services form the foundation of the homelab and should always be running
# Place in /opt/stacks/core/docker-compose.yml

# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

services:
  
  duckdns:
    # Dynamic DNS service - must always run to maintain domain resolution
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ./duckdns/config:/config
    networks:
      - traefik-network
  
  traefik:
    # Reverse proxy and SSL termination - core routing service, must always run
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command: ["--configFile=/config/traefik.yml"]
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./traefik/config:/config
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/dynamic:/dynamic
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - "homelab.category=core"
      - "homelab.description=Reverse proxy and SSL termination"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

  authelia:
    # Single sign-on authentication service - must always run for user authentication
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - TZ=${TZ}
    ports:
      - "9091:9091"
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
    networks:
      - traefik-network
    depends_on:
      - traefik
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - "homelab.category=core"
      - "homelab.description=Single sign-on authentication"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      - "traefik.http.routers.authelia.service=authelia"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      # Authelia forward auth middleware configuration
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"

  # Sablier - Lazy loading service for Docker containers
  # Controls startup/shutdown of lazy-loaded services, must always run
  # REQUIREMENTS FOR DOCKER API ACCESS:
  # 1. Docker daemon must be configured to listen on TCP port 2375
  # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
  # 3. Firewall must allow TCP connections to Docker API port (default 2375)
  # 4. For production, consider using TLS for Docker API communication
  # 5. Ensure dockerproxy service is running and accessible
  sablier-service:
    image: sablierapp/sablier:latest
    container_name: sablier-service
    restart: unless-stopped
    networks:
      - traefik-network
    environment:
      - SABLIER_PROVIDER=docker
      - SABLIER_DOCKER_API_VERSION=1.51
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_LOG_LEVEL=debug
      - DOCKER_HOST=tcp://192.168.4.11:2375
    ports:
      - 10000:10000
    labels:
      # Service metadata
      - "homelab.category=core"
      - "homelab.description=Lazy loading service for Docker containers"

networks:
  traefik-network:
    external: true

x-dockge:
  urls:
    - https://auth.${DOMAIN}
    - https://{$SERVER_IP}:9091
    - https://traefik.${DOMAIN}
    - https://{$SERVER_IP}:8080