services:
  traefik:
    container_name: Traefik
    image: traefik:latest
    restart: always

    networks:
      traefik_macvlan:
        ipv4_address: 192.168.2.253   # Traefik's LAN IP
      proxy: {}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik.yml:/traefik.yml:ro
      - ./traefik/config:/traefik_config
      - ./traefik/cert:/traefik_cert
      - ./traefik/logs:/logs

    environment:
      - TZ=America/Winnipeg
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}

    labels:
      - "traefik.enable=true"

      # Dashboard (behind Authelia)
      - "traefik.http.routers.traefik.rule=Host(`tfk.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"

  authelia:
    container_name: Authelia
    restart: always
    image: authelia/authelia:latest

    networks:
      - proxy

    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets:ro
      - ./authelia/logs:/var/log/authelia

    environment:
      - TZ=America/Winnipeg
      - X_AUTHELIA_CONFIG_FILTERS=template
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)"
      - "traefik.http.routers.authelia.entrypoints=https"
      - "traefik.http.routers.authelia.tls.certresolver=cloudflare"

      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
      - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

  traefik-gui:
    container_name: Traefik-GUI
    restart: always
    image: ghcr.io/rahn-it/traefik-gui:master

    networks:
      - proxy

    volumes:
      - ./traefik-gui/db:/app/db
      - ./traefik/config:/app/traefik

    environment:
      - TZ=America/Winnipeg

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-gui.rule=Host(`tfk-admin.yourdomain.com`)"
      - "traefik.http.routers.traefik-gui.entrypoints=https"
      - "traefik.http.routers.traefik-gui.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-gui.middlewares=authelia@docker"

networks:
  traefik_macvlan:
    external: true
  proxy:
    name: proxy
    driver: bridge