---
version: "3.8"

services:
  traefik-forward-auth:
    image: "thomseddon/traefik-forward-auth:2"
    configs:
      - source: forward_ini
        target: /etc/forward.ini
    networks:
      - proxy
    environment:
      - CONFIG=/etc/forward.ini
      - OIDC_CLIENT_ID=traefik-forward-auth
      - OIDC_ISSUER_URL=https://id.autonomic.zone/auth/realms/autonomic
    secrets:
      - oidc_client_secret
      - secret_nonce
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.tfa.loadBalancer.server.port=4181"
        - "traefik.http.routers.tfa.rule=Host(`auth.autonomic.zone`)"
        - "traefik.http.routers.tfa.entrypoints=web-secure"
        - "traefik.http.routers.tfa.tls.certresolver=production"
        - "traefik.http.routers.tfa.middlewares=keycloak@file"

networks:
  proxy:
    external: true

configs:
  forward_ini:
    name: auth_forward_ini_v1
    file: forward.ini.tmpl
    template_driver: golang

secrets:
  secret_nonce:
    name: auth_secret_nonce_v1
    external: true
  oidc_client_secret:
    name: auth_oidc_client_secret_v1
    external: true