---
version: "3.8"

services:
  traefik-forward-auth:
    image: "thomseddon/traefik-forward-auth:2"
    configs:
      - source: forward_ini
        target: /etc/forward.ini
    networks:
      - proxy
    environment:
      - CONFIG=/etc/forward.ini
      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
      - OIDC_ISSUER_URL=${OIDC_ISSUER_URL}
      - COOKIE_DOMAIN=${COOKIE_DOMAIN}
      - AUTH_HOST=${AUTH_HOST}
    secrets:
      - oidc_client_secret
      - secret_nonce
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.tfa.loadBalancer.server.port=4181"
        - "traefik.http.routers.tfa.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.tfa.entrypoints=web-secure"
        - "traefik.http.routers.tfa.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.tfa.middlewares=keycloak@file"

networks:
  proxy:
    external: true

configs:
  forward_ini:
    name: ${STACK_NAME}_forward_ini_${FORWARD_INI_VERSION}
    file: forward.ini.tmpl
    template_driver: golang

secrets:
  secret_nonce:
    name: ${STACK_NAME}_secret_nonce_${SERCRET_NONCE_VERSION}
    external: true
  oidc_client_secret:
    name: ${STACK_NAME}_oidc_client_secret_${OIDC_CLIENT_SECRET_VERSION}
    external: true