services:
    traefik:
        image: traefik:v3.7.5
        container_name: traefik
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - ./letsencrypt:/letsencrypt
        command:
            - "--api.dashboard=true"
            - "--providers.docker=true"
            - "--providers.docker.exposedbydefault=false"
            - "--providers.docker.network=traefik-public"
            - "--entrypoints.web.address=:80"
            - "--entrypoints.websecure.address=:443"
            - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
            - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
            - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
            - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
            - "--certificatesresolvers.myresolver.acme.email=${TRAEFIK_ACME_EMAIL:-admin@hmac.kr}"
            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.traefik-dashboard.rule=Host(`${TRAEFIK_DASHBOARD_HOST:-traefik.brsw.kr}`)"
            - "traefik.http.routers.traefik-dashboard.service=api@internal"
            - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
            - "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
            - "traefik.http.routers.traefik-dashboard.middlewares=auth-forward@docker"
        networks:
            - traefik-public

    forward-auth:
        image: thomseddon/traefik-forward-auth:2.2.0
        container_name: forward-auth
        restart: unless-stopped
        environment:
            - LOG_LEVEL=${TRAEFIK_FORWARD_AUTH_LOG_LEVEL:-info}
            - DEFAULT_PROVIDER=generic-oauth
            - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/auth
            - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/token
            - PROVIDERS_GENERIC_OAUTH_USER_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/userinfo
            - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${TRAEFIK_FORWARD_AUTH_CLIENT_ID:-traefik-forward-auth}
            - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${TRAEFIK_FORWARD_AUTH_CLIENT_SECRET}
            - PROVIDERS_GENERIC_OAUTH_SCOPE=openid profile email
            - SECRET=${TRAEFIK_FORWARD_AUTH_COOKIE_SECRET}
            - AUTH_HOST=${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}
            - COOKIE_DOMAIN=${TRAEFIK_COOKIE_DOMAIN:-brsw.kr}
            - URL_PATH=${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}
            - INSECURE_COOKIE=${TRAEFIK_FORWARD_AUTH_INSECURE_COOKIE:-false}
            - LIFETIME=${TRAEFIK_FORWARD_AUTH_LIFETIME:-43200}
        labels:
            - "traefik.enable=true"
            - "traefik.http.services.forward-auth.loadbalancer.server.port=4181"
            - "traefik.http.middlewares.auth-forward.forwardauth.address=http://forward-auth:4181"
            - "traefik.http.middlewares.auth-forward.forwardauth.trustForwardHeader=true"
            - "traefik.http.middlewares.auth-forward.forwardauth.authResponseHeaders=X-Forwarded-User"
            - "traefik.http.routers.forward-auth.rule=Host(`${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}`) && PathPrefix(`${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}`)"
            - "traefik.http.routers.forward-auth.entrypoints=websecure"
            - "traefik.http.routers.forward-auth.tls.certresolver=myresolver"
        networks:
            - traefik-public

networks:
    traefik-public:
        external: true
        name: traefik-public