version: '3'
services:
######## traefik ########
  traefik:
    container_name: traefik
    image: "traefik:v3.0"
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./file-provider.yml:/etc/traefik/file-provider.yml
      - acme_data:/etc/traefik/acme
    networks:
      - traefik
    ports:
      - "80:80" # HTTP
      - "8081:8080" # Web-GUI
      - "443:443" # HTTPS
      - "2222:2222" # SSH
    environment:
      TZ: Europe/Berlin
    labels:
      com.centurylinklabs.watchtower.enable: true

######## nforwardauth ########
  nforwardauth:
    restart: always
    image: "nosduco/nforwardauth:v1.4.0@sha256:16e38db002d27758bdc53c70ba12113d84158c758efe930c97c6e9e2bf612a5d"
    container_name: traefik-nforwardauth
    environment:
      TOKEN_SECRET: "{{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}"
      AUTH_HOST: auth.mgrote.net
    labels:
      traefik.enable: true
      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)

      traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000

      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
      traefik.http.routers.nforwardauth.tls: true
      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.nforwardauth.entrypoints: entry_https

      com.centurylinklabs.watchtower.depends-on: traefik
      com.centurylinklabs.watchtower.enable: true
    volumes:
      - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
    networks:
      - traefik

######## Networks ########
networks:
  traefik:
    external: true
######## Volumes ########
volumes:
  acme_data:


# passwd
# echo "<user>:$(mkpasswd -m sha-512 <password>)"