version: "3.9"

networks:
  proxy:
    external: true
  monitor:
    external: true

secrets:
  inwx_username:
    file: ./secrets/inwx_username
  inwx_password:
    file: ./secrets/inwx_password
  jwt:
    file: ./secrets/authelia_jwt
  duo:
    file: ./secrets/authelia_duo
  session:
    file: ./secrets/authelia_session
  storage:
    file: ./secrets/authelia_storage
  smtp:
    file: ./secrets/authelia_smtp

services:
  authelia:
    image: authelia/authelia:4
    container_name: authelia
    secrets:
      - jwt
      - duo
      - session
      - storage
      - smtp
    environment:
      - TZ=Europe/Berlin
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
    healthcheck:
      disable: true
    volumes:
      - ./authelia:/config
    restart: always
    expose:
      - 9091
    networks:
      - proxy

  traefik:
    image: traefik:2.5
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    secrets:
      - inwx_username
      - inwx_password
    environment:
      - TZ=Europe/Berlin
      - INWX_USERNAME_FILE=/run/secrets/inwx_username
      - INWX_PASSWORD_FILE=/run/secrets/inwx_password
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik.toml:/traefik.toml:ro
      - ./traefik/inwx.json:/inwx.json
      - ./traefik/config.toml:/config.toml
    networks:
      - proxy
      - monitor