# Authelia SSO Stack
# Single Sign-On authentication for all services
# Place in /opt/stacks/authelia/docker-compose.yml

services:
  authelia:
    image: authelia/authelia:4.37
    container_name: authelia
    restart: unless-stopped
    networks:
      - traefik-network
    volumes:
      - /opt/stacks/authelia/configuration.yml:/config/configuration.yml:ro
      - /opt/stacks/authelia/users_database.yml:/config/users_database.yml
      - authelia-data:/config
    environment:
      - TZ=${TZ}
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}  # If using email notifications
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      # Authelia middleware for other services
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

volumes:
  authelia-data:
    driver: local

networks:
  traefik-network:
    external: true