secrets:
  JWT_SECRET:
    file: ${INFRA_PATH}/authelia/secrets/JWT_SECRET
  SESSION_SECRET:
    file: ${INFRA_PATH}/authelia/secrets/SESSION_SECRET
  STORAGE_PASSWORD:
    file: ${INFRA_PATH}/authelia/secrets/STORAGE_PASSWORD
  STORAGE_ENCRYPTION_KEY:
    file: ${INFRA_PATH}/authelia/secrets/STORAGE_ENCRYPTION_KEY
services:
  authelia:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    container_name: authelia
    image: authelia/authelia:latest
    ports:
      - 9959:9959 # metrics prometheus
    networks: 
      - ip6net
    expose:
      - 9091
    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
    environment:
      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
      # AUTHELIA_PUBLIC_DOMAIN: ${PUBLIC_DOMAIN} # this does not work for access control or openID yet
      # AUTHELIA_LOCAL_DOMAIN: ${LOCAL_DOMAIN} # this does not work for access control or openID yet
    volumes:
      - ${INFRA_PATH}/authelia/config:/config
      - ${INFRA_PATH}/authelia/config:/config
      - "/var/log/authelia/:/config/log"
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)'
      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
      - 'traefik.http.routers.authelia.entryPoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.service=authelia-svc'
      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
      # Middleware
      - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"