# Backup and Utility Services
# Place in /opt/stacks/utilities/docker-compose.yml

# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

# Service Access URLs:
# - Backrest: https://backrest.${DOMAIN}
# - Duplicati: https://duplicati.${DOMAIN}
# - Form.io: https://forms.${DOMAIN}
# - Vaultwarden (Bitwarden): https://vault.${DOMAIN}

x-dockge:
  urls:
    - https://backrest.${DOMAIN}
    - https://duplicati.${DOMAIN}
    - https://forms.${DOMAIN}
    - https://vault.${DOMAIN}
services:
  # Backrest - Backup solution for restic
  # Access at: https://backrest.${DOMAIN}
  # Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
  backrest:
    image: garethgeorge/backrest:latest
    container_name: backrest
    restart: no
    networks:
      - homelab-network
      - traefik-network
    ports:
      - "9898:9898"
    volumes:
      - ./backrest/data:/data
      - ./backrest/config:/config
      - /opt/stacks:/opt/stacks:ro # Backup source
      - /mnt:/mnt:ro # Backup additional drives
      - backrest-cache:/cache
    environment:
      - BACKREST_DATA=/data
      - BACKREST_CONFIG=/config/config.json
      - TZ=${TZ}
    labels:
      # ==========================================
      # TRAEFIK & SABLIER CONFIGURATION
      # ==========================================
      
      # Service metadata
      - homelab.category=utilities
      - homelab.description=Backup management with restic
      
      # Traefik reverse proxy (uncomment to enable)
      - traefik.enable=true
      - traefik.http.routers.backrest.rule=Host(`backrest.${DOMAIN}`)
      - traefik.http.routers.backrest.entrypoints=websecure
      - traefik.http.routers.backrest.tls.certresolver=letsencrypt
      - traefik.http.routers.backrest.middlewares=authelia@docker
      - traefik.http.services.backrest.loadbalancer.server.port=9898
      
      # Sablier lazy loading (uncomment to enable)
      - sablier.enable=true
      - sablier.group=${SERVER_HOSTNAME:-debian}-backrest
      - sablier.start-on-demand=true
      - "x-dockge.url=https://backrest.${DOMAIN}"
      - "x-dockge.url=https://backrest.${DOMAIN}"
  # Duplicati - Backup solution
  # Access at: https://duplicati.${DOMAIN}
  duplicati:
    image: lscr.io/linuxserver/duplicati:2.0.7
    container_name: duplicati
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    ports:
      - "8200:8200"
    volumes:
      - ./duplicati/config:/config
      - /opt/stacks:/source/stacks:ro
      - /mnt:/source/mnt:ro
      - /mnt/backups:/backups
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ}
    labels:
      # TRAEFIK & SABLIER CONFIGURATION
      # ==========================================
      # Service metadata
      - "homelab.category=utilities"
      - "homelab.description=Backup software with encryption"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - "traefik.enable=true"
      - "traefik.http.routers.duplicati.rule=Host(`duplicati.${DOMAIN}`)"
      - "traefik.http.routers.duplicati.entrypoints=websecure"
      - "traefik.http.routers.duplicati.tls.certresolver=letsencrypt"
      - "traefik.http.routers.duplicati.middlewares=authelia@docker"
      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"
  # Form.io - Form builder
  # Uncomment and configure if formio/formio image becomes available
  formio:
    image: calipseo/formio:latest
    container_name: formio
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
      - formio-network
    ports:
      - "3001:3001"
    environment:
      - MONGO=mongodb://formio-mongo:27017/formio
      - JWT_SECRET=${FORMIO_JWT_SECRET}
      - DB_SECRET=${FORMIO_DB_SECRET}
    depends_on:
      - formio-mongo
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - "homelab.category=utilities"
      - "homelab.description=Form builder platform"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - "traefik.enable=true"
      - "traefik.http.routers.formio.rule=Host(`forms.${DOMAIN}`)"
      - "traefik.http.routers.formio.entrypoints=websecure"
      - "traefik.http.routers.formio.tls.certresolver=letsencrypt"
      - "traefik.http.routers.formio.middlewares=authelia@docker"
      - "traefik.http.services.formio.loadbalancer.server.port=3001"

  formio-mongo:
    image: mongo:4.4
    container_name: formio-mongo
    restart: unless-stopped
    networks:
      - formio-network
    labels:
      - "homelab.category=utilities"
      - "homelab.description=Form.io database"

  # Bitwarden (Vaultwarden) - Password manager
  # Access at: https://vault.${DOMAIN}
  # Note: SSO disabled for browser extension and mobile app compatibility
  vaultwarden:
    image: vaultwarden/server:1.30.1
    container_name: vaultwarden
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    ports:
      - "80:80"
    volumes:
      - ./vaultwarden/data:/data
    environment:
      - DOMAIN=https://vault.${DOMAIN}
      - SIGNUPS_ALLOWED=${BITWARDEN_SIGNUPS_ALLOWED:-true}
      - INVITATIONS_ALLOWED=${BITWARDEN_INVITATIONS_ALLOWED:-true}
      - ADMIN_TOKEN=${BITWARDEN_ADMIN_TOKEN}
      # SMTP disabled - uncomment and configure to enable email
      # - SMTP_HOST=${SMTP_HOST}
      # - SMTP_FROM=${SMTP_FROM}
      # - SMTP_PORT=${SMTP_PORT:-587}
      # - SMTP_SECURITY=${SMTP_SECURITY:-starttls}
      # - SMTP_USERNAME=${SMTP_USERNAME}
      # - SMTP_PASSWORD=${SMTP_PASSWORD}
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - "homelab.category=utilities"
      - "homelab.description=Self-hosted password manager (Bitwarden)"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      # SSO disabled for browser extension and mobile app compatibility
      # - "traefik.http.routers.vaultwarden.middlewares=authelia@docker"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
  # Authelia Redis - Session storage for Authelia
  # No web UI - backend service
#  authelia-redis:
#    image: redis:7-alpine
#    container_name: authelia-redis
#    restart: unless-stopped
#    networks:
#      - homelab-network
#    volumes:
#      - authelia-redis-data:/data
#    command: redis-server --save 60 1 --loglevel warning
#    labels:
#      - homelab.category=utilities
#      - homelab.description=Session storage for Authelia
volumes:
  backrest-cache: null
  formio-mongo-data: null
  authelia-redis-data: null
networks:
  homelab-network:
    external: true
  traefik-network:
    external: true
  formio-network:
    driver: bridge