services:
  duckdns:
    # Dynamic DNS service - must always run to maintain domain resolution
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - ./duckdns/config:/config
    networks:
      - traefik-network
    labels:
      - com.getarcaneapp.arcane.icon=https://cdn.jsdelivr.net/gh/selfhst/icons@main/svg/duckdns.svg
  
  traefik:
    # Reverse proxy and SSL termination - core routing service, must always run
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command: ['--configFile=/config/traefik.yml']
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./traefik/config:/config
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/dynamic:/dynamic
      - ./traefik/logs:/logs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
      - homelab-network
    labels:
      - com.getarcaneapp.arcane.icon=https://cdn.jsdelivr.net/gh/selfhst/icons@main/svg/traefik.svg
      # - 'traefik.http.routers.traefik.rule=Host(`traefik.kelinreij.duckdns.org`)'
      - ${TRAEFIK_HOST_LABEL}
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.entrypoints=websecure'
      - 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.traefik.middlewares=authelia@docker'
      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'

  authelia:
    # Single sign-on authentication service - must always run for user authentication
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - TZ=${TZ}
    ports:
      - '9091:9091'
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
    networks:
      - traefik-network
      - homelab-network
    labels:
      - com.getarcaneapp.arcane.icon=https://cdn.jsdelivr.net/gh/selfhst/icons@main/svg/authelia.svg
      # - 'traefik.http.routers.authelia.rule=Host(`auth.kelinreij.duckdns.org`)'
      - ${AUTHELIA_HOST_LABEL}
      - 'traefik.enable=true'
      
      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.authelia.service=authelia'
      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
      # - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.kelinreij.duckdns.org/'
      - ${AUTHELIA_FORWARD_AUTH_LABEL}
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'

networks:
  traefik-network:
    external: true
  homelab-network:
    external: true

x-dockge:
  urls:
    - https://auth.${SUBDOMAIN}.duckdns.org
    - http://${SERVER_IP}:9091
    - https://traefik.${SUBDOMAIN}.duckdns.org
    - http://${SERVER_IP}:8080

x-arcane:
  icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/svg/traefik.svg
  urls:
    - https://auth.${SUBDOMAIN}.duckdns.org
    - http://${SERVER_IP}:9091
    - https://traefik.${SUBDOMAIN}.duckdns.org
    - http://${SERVER_IP}:8080