services:
  mtls-bridge:
    profiles: ["monitoring", "all", "mtls-bridge"]
    build:
      context: ${PROJECT_ROOT}/monitoring/mtls-bridge
    container_name: mtls-bridge
    hostname: mtls-bridge.lan.ddnsgeek.com
    restart: unless-stopped
    environment:
      - TARGET_URL=${MTLS_BRIDGE_TARGET_URL}
      - CLIENT_CERT=${MTLS_BRIDGE_CLIENT_CERT}
      - CLIENT_KEY=${MTLS_BRIDGE_CLIENT_KEY}
      - TIMEOUT=${MTLS_BRIDGE_TIMEOUT}
      - LOG_LEVEL=${MTLS_BRIDGE_LOG_LEVEL:-INFO}
      - UPSTREAM_CA_CERT=${MTLS_BRIDGE_UPSTREAM_CA_CERT:-}
    volumes:
      - ${PROJECT_ROOT}/core/traefik/certs:/certs:ro
    labels:
       - "traefik.http.routers.mtls-bridge.rule=Host(`mtls-bridge.lan.ddnsgeek.com`)"
       - "traefik.enable=true"
       - "traefik.http.routers.mtls-bridge.entrypoints=websecure"
       - "traefik.http.routers.mtls-bridge.tls.certresolver=myresolver"
       - "traefik.http.routers.mtls-bridge.middlewares=mtls-bridge-auth"
#       - "traefik.http.middlewares.mtls-bridge-auth.basicauth.users=${MTLS_BRIDGE_BASIC_AUTH_USERS}"
       - "traefik.http.middlewares.mtls-bridge-auth.basicauth.users=beatzaplenty:$$2y$$05$$WAj1.xaHHoR0lmgx8UedwuIM4qv2Uz7eezY4gxASfM5KAdN8mPLOa"
       - "io.portainer.accesscontrol.public"
#       - "traefik.http.routers.searxng.middlewares=crowdsec@file,secHeaders@file,error-pages-middleware"
       - "traefik.http.services.mtls-bridge.loadbalancer.server.port=8080"
       - "traefik.docker.network=core_traefik"
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8080/health', timeout=3).read()"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    networks:
      - monitor
      - traefik