version: "3.9"

networks:
  proxy:
    external: true
  metrics:
    external: false
  authelia:
    external: false

secrets:
  jwt:
    file: ./secrets/authelia_jwt
  session:
    file: ./secrets/authelia_session
  storage:
    file: ./secrets/authelia_storage
  smtp:
    file: ./secrets/authelia_smtp
  hetzner:
    file: ./secrets/hetzner_key

volumes:
  redis:

services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: always
    secrets:
      - jwt
      - session
      - storage
      - smtp
    environment:
      - TZ=Europe/Berlin
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./authelia:/config
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.entrypoints=websecure"
    healthcheck:
      disable: true
    expose:
      - 9091
    networks:
      - proxy
      - authelia

  authelia-redis:
    image: redis:alpine
    container_name: authelia-redis
    restart: always
    environment:
      - TZ=Europe/Berlin
    volumes:
      - redis:/data
    expose:
      - 6379
    networks:
      - authelia

  traefik:
    image: traefik:2.9
    container_name: traefik
    restart: always
    secrets:
      - hetzner
    environment:
      - TZ=Europe/Berlin
      - HETZNER_API_KEY_FILE=/run/secrets/hetzner
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/static.yaml:/etc/traefik/traefik.yaml
      - ./traefik/dynamic.yaml:/dynamic.yaml
      - ./secrets/acme.json:/acme.json
    ports:
      - "80:80"
      - "443:443"
      - "127.0.0.1:8080:8080"
    networks:
      - proxy
      - metrics

  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus
    restart: always
    volumes:
      - "./prometheus:/etc/prometheus"
    expose:
      - 9090
    networks:
      - metrics

  grafana:
    image: grafana/grafana:latest
    container_name: grafana
    restart: always
    user: "1000"
    environment:
      - GF_SECURITY_ADMIN_USER=admin
      - GF_LOG_LEVEL=error
      - GF_SERVER_ROOT_URL=https://metrics.tp.example.de
      - GF_AUTH_ANONYMOUS_ENABLED=true
      - GF_AUTH_ANONYMOUS_ORG_ROLE=Editor
      - GF_LIVE_ALLOWED_ORIGINS=*
    volumes:
      - ./grafana:/var/lib/grafana
    ports:
      - "127.0.0.1:3000:3000"
    networks:
      - metrics