# Authelia - Single Sign-On & Two-Factor Authentication
# Docs: https://www.authelia.com/

services:
  authelia:
    container_name: authelia
    image: authelia/authelia:latest
    restart: unless-stopped

    env_file:
      - .env

    volumes:
      - ./config:/config

    networks:
      - homelab

    labels:
      # Traefik
      traefik.enable: true
      traefik.docker.network: homelab

      # Main Authelia portal
      traefik.http.routers.authelia.rule: Host(`auth.fig.systems`)
      traefik.http.routers.authelia.entrypoints: websecure
      traefik.http.routers.authelia.tls.certresolver: letsencrypt
      traefik.http.services.authelia.loadbalancer.server.port: 9091

      # Forward Auth Middleware (for services without native OIDC)
      traefik.http.middlewares.authelia.forwardAuth.address: http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.fig.systems%2F
      traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader: true
      traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email

  redis:
    container_name: authelia-redis
    image: redis:alpine
    restart: unless-stopped

    volumes:
      - redis-data:/data

    networks:
      - homelab

    command: redis-server --save 60 1 --loglevel warning

networks:
  homelab:
    external: true

volumes:
  redis-data:
    driver: local