# Alternative Services Stack
# This stack contains alternative/optional services that are not deployed by default
# RESTART POLICY GUIDE:
# - unless-stopped: Core infrastructure services that should always run
# - no: Services with Sablier lazy loading (start on-demand)
# - See individual service comments for specific reasoning

services:
  # Portainer - Docker management UI (Alternative to Dockge)
  # Docker management interface should always run when deployed
  portainer:
    image: portainer/portainer-ce:2.19.4
    container_name: portainer
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    ports:
      - '9000:9000'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./portainer/data:/data
    security_opt:
      - no-new-privileges:true
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=Docker container management UI (Alternative to Dockge)'
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      - 'traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)'
      - 'traefik.http.routers.portainer.entrypoints=websecure'
      - 'traefik.http.routers.portainer.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.portainer.middlewares=authelia@docker'
      - 'traefik.http.services.portainer.loadbalancer.server.port=9000'

  # Authentik - Alternative SSO/Identity Provider with Web UI
  # Access at: https://authentik.${DOMAIN}
  # NOTE: Authelia is the default SSO. Deploy Authentik only if you need a web UI for user management
  # WARNING: Do not run both Authelia and Authentik at the same time
  # SSO service should always run when deployed as alternative to Authelia
  authentik-server:
    image: ghcr.io/goauthentik/server:2024.2.0
    container_name: authentik-server
    restart: unless-stopped
    command: server
    networks:
      - homelab-network
      - traefik-network
    ports:
      - '9000:9000'
    volumes:
      - ./authentik/media:/media
      - ./authentik/custom-templates:/templates
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_DB_USER}
      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_DB_NAME}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)'
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      - 'traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)'
      - 'traefik.http.routers.authentik.entrypoints=websecure'
      - 'traefik.http.routers.authentik.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.authentik.middlewares=authelia@docker'
      - 'traefik.http.services.authentik.loadbalancer.server.port=9000'
    depends_on:
      - authentik-db
      - authentik-redis

  # Authentik Worker - Background task processor
  # SSO background worker should always run when Authentik is deployed
  authentik-worker:
    image: ghcr.io/goauthentik/server:2024.2.0
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    networks:
      - homelab-network
    volumes:
      - ./authentik/media:/media
      - ./authentik/certs:/certs
      - ./authentik/custom-templates:/templates
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_DB_USER}
      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_DB_NAME}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=Authentik background worker'
    depends_on:
      - authentik-db
      - authentik-redis

  # Authentik Database - PostgreSQL
  # Database must always run for Authentik to function
  authentik-db:
    image: postgres:16-alpine
    container_name: authentik-db
    restart: unless-stopped
    networks:
      - homelab-network
    volumes:
      - ./authentik/db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=${AUTHENTIK_DB_USER}
      - POSTGRES_PASSWORD=${AUTHENTIK_DB_PASSWORD}
      - POSTGRES_DB=${AUTHENTIK_DB_NAME}
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=Authentik database'
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U ${AUTHENTIK_DB_USER}']
      interval: 10s
      timeout: 5s
      retries: 5

  # Authentik Redis - Cache and message queue
  # Cache service must always run for Authentik performance
  authentik-redis:
    image: redis:7-alpine
    container_name: authentik-redis
    restart: unless-stopped
    networks:
      - homelab-network
    volumes:
      - ./authentik/redis:/data
    command: --save 60 1 --loglevel warning
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=Authentik cache and messaging'
    healthcheck:
      test: ['CMD-SHELL', 'redis-cli ping | grep PONG']
      interval: 10s
      timeout: 3s
      retries: 5

  # Plex Media Server - Alternative to Jellyfin
  # NOTE: No Authelia - allows app access from Roku, Fire TV, mobile, etc.
  plex:
    image: plexinc/pms-docker:1.40.0.7998-f68041501
    container_name: plex
    restart: unless-stopped
    networks:
      - homelab-network
      - homelab-network
      - traefik-network
    ports:
      - '32400:32400'
    volumes:
      - ./plex/config:/config
      - ${MEDIA_DIR}:/media:ro  # Large media files on separate drive
      - plex-transcode:/transcode
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      - PLEX_CLAIM=${PLEX_CLAIM}
    # Hardware transcoding support
    # Uncomment ONE of the following options:
    
    # Option 1: Intel QuickSync (most common)
    # devices:
    #   - /dev/dri:/dev/dri
    
    # Option 2: NVIDIA GPU (requires nvidia-container-toolkit installed)
    # runtime: nvidia
    # devices:
    #   - /dev/nvidia0:/dev/nvidia0
    #   - /dev/nvidiactl:/dev/nvidiactl
    #   - /dev/nvidia-modeset:/dev/nvidia-modeset
    #   - /dev/nvidia-uvm:/dev/nvidia-uvm
    #   - /dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools
    # environment:
    #   - NVIDIA_VISIBLE_DEVICES=all
    #   - NVIDIA_DRIVER_CAPABILITIES=compute,video,utility
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
      - 'homelab.category=alternatives'
      - 'homelab.description=Alternative media streaming server to Jellyfin'
      # Traefik labels - NO Authelia for app access
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      - 'traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)'
      - 'traefik.http.routers.plex.entrypoints=websecure'
      - 'traefik.http.routers.plex.tls.certresolver=letsencrypt'
      - 'traefik.http.services.plex.loadbalancer.server.port=32400'

networks:
  homelab-network:
    external: true
  traefik-network:
    external: true