services:
  traefik:
    profiles: ["core","all","traefik"]
    image: traefik:3
    container_name: traefik
    restart: always
    read_only: true
    hostname: traefik.lan.ddnsgeek.com
    depends_on:
      - docker-socket-proxy
      - error-pages
      - authelia
      - crowdsec

    ports:
      - "80:80"
      - "443:443"

    build:
      context: ${PROJECT_ROOT}/core
 #   env_file:
 #     - ${PROJECT_ROOT}/secrets/stack-secrets.env

    volumes:
      - ${PROJECT_ROOT}/core/traefik/data/letsencrypt:/letsencrypt
      - ${PROJECT_ROOT}/core/traefik/data/logs:/logs
      - ${PROJECT_ROOT}/core/traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ${PROJECT_ROOT}/core/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ${PROJECT_ROOT}/core/traefik/data/plugins:/plugins-storage

    healthcheck:
      test: traefik healthcheck --ping

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.lan.ddnsgeek.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.middlewares=authelia"
      - "io.portainer.accesscontrol.public"
      - "traefik.docker.network=core_traefik"
      - "traefik.http.routers.traefik.observability.tracing=true"

    networks:
#      - reverse_proxy
#      - prometheus_edge
      - traefik
  crowdsec:
#    image: crowdsecurity/crowdsec:latest
    profiles: ["core","all","traefik"]
    build: ${PROJECT_ROOT}/core/crowdsec
    container_name: crowdsec
    restart: always
    environment:
      - COLLECTIONS=crowdsecurity/traefik
#      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro
      - ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data
      - ${PROJECT_ROOT}/core/crowdsec/config:/etc/crowdsec
    networks:
#      - reverse_proxy
      - traefik
    healthcheck:
      test: ["CMD-SHELL", "cscli metrics || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s

  error-pages:
    profiles: ["core","all","traefik"]
    image: tarampampam/error-pages:3
    restart: always
    container_name: error-pages
    read_only: true
    environment:
      TEMPLATE_NAME: ${ERROR_PAGES_TEMPLATE_NAME}
    networks:
#      - reverse_proxy
      - traefik
    hostname: error-pages
    labels:
      - "traefik.enable=true"
      # use as "fallback" for any NON-registered services (with priority below normal)
      - "traefik.http.routers.error-pages-router.rule=HostRegexp(`{host:.+}`)"
      # should say that all of your services work on https
      - "traefik.http.routers.error-pages-router.entrypoints=web"
      - "traefik.http.routers.error-pages-router.middlewares=error-pages-middleware"
      # "errors" middleware settings
      - "traefik.http.middlewares.error-pages-middleware.errors.status=400-599"
      - "traefik.http.middlewares.error-pages-middleware.errors.service=error-pages-service"
      - "traefik.http.middlewares.error-pages-middleware.errors.query=/{status}.html"
      # define service properties
      - "traefik.http.services.error-pages-service.loadbalancer.server.port=8080"
      - "io.portainer.accesscontrol.public"

  authelia:
    profiles: ["core","all","traefik"]
    image: authelia/authelia
    restart: always
    build:
      context: ${PROJECT_ROOT}/core/authelia
#    env_file:
#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
#    environment:
#      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:${AUTHELIA_JWT_SECRET}
#      - AUTHELIA_SESSION_SECRET:${AUTHELIA_SESSION_SECRET}
#      - AUTHELIA_STORAGE_ENCRYPTION_KEY:${AUTHELIA_STORAGE_ENCRYPTION_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/authelia:/config
    networks:
#      - reverse_proxy
      - traefik
    container_name: authelia
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host(`auth.lan.ddnsgeek.com`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls=true
      - traefik.http.routers.authelia.tls.certresolver=myresolver
      - io.portainer.accesscontrol.public
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/
      # Keep trustForwardHeader enabled so Authelia evaluates the real client IP from
      # X-Forwarded-* headers that Traefik now accepts only from trustedIPs.
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups
      - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152
#networks:
#  reverse_proxy:
#    driver: bridge
#  prometheus_edge:
#    external: true