services:
  navidrome:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    image: deluan/navidrome 
    container_name: navidrome
    ports:
      - 2011:4533
    networks:
      - ip4net
    volumes:
      - ${MEDIA_PATH}/navidrome/data:/data
      - ${EXTERNAL_STORAGE}/media/music:/music:ro
    environment:
      ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
      ND_ENABLEUSEREDITING: false
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.navidrome.rule=Host(`navidrome.${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.navidrome.entrypoints=https"
      - 'traefik.http.routers.navidrome.tls=true'
      # Middlewares
      - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file, authelia@file"
      # Subsonic endpoint use basic authentication middleware from authelia
      - "traefik.http.routers.navidrome-subsonic.rule=Host(`navidrome.${PUBLIC_DOMAIN}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)"
      - "traefik.http.routers.navidrome-subsonic.entrypoints=https"
      - "traefik.http.routers.navidrome-subsonic.middlewares=crowdsec-bouncer@file, authelia-basicauth@file, subsonic-basicauth@file"