services:
  authelia:
    profiles: ["core","all","traefik"]
    image: authelia/authelia
    restart: always
    build:
      context: ${PROJECT_ROOT}/core/authelia
#    env_file:
#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
#    environment:
#      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:${AUTHELIA_JWT_SECRET}
#      - AUTHELIA_SESSION_SECRET:${AUTHELIA_SESSION_SECRET}
#      - AUTHELIA_STORAGE_ENCRYPTION_KEY:${AUTHELIA_STORAGE_ENCRYPTION_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/authelia:/config
    networks:
#      - reverse_proxy
      - traefik
    container_name: authelia
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host(`auth.lan.ddnsgeek.com`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls=true
      - traefik.http.routers.authelia.tls.certresolver=myresolver
      - io.portainer.accesscontrol.public
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups
      - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152