services:
  app:
    image: ghcr.io/sebadob/rauthy:0.34.3
    environment:
      - ADMIN_EMAIL
      - ADMIN_FORCE_MFA
      - DOMAIN
      - ENC_KEY_ACTIVE
      - LOG_LEVEL
    configs:
      - source: config_toml
        target: /app/config.toml
    secrets:
      - enc_keys_a
      - enc_keys_b
      - hql_api
      - hql_raft
    volumes:
      - data:/app/data
    networks:
      - proxy
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
        - "coop-cloud.${STACK_NAME}.version=1.2.1+0.34.3"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"

networks:
  proxy:
    external: true

configs:
  config_toml:
    name: ${STACK_NAME}_config_toml_${CONFIG_TOML_VERSION}
    file: config.toml.tmpl
    template_driver: golang

secrets:
  enc_keys_a:
    name: ${STACK_NAME}_enc_keys_a_${SECRET_ENC_KEYS_A_VERSION}
    external: true
  enc_keys_b:
    name: ${STACK_NAME}_enc_keys_b_${SECRET_ENC_KEYS_B_VERSION}
    external: true
  hql_raft:
    name: ${STACK_NAME}_hql_raft_${SECRET_HQL_RAFT_VERSION}
    external: true
  hql_api:
    name: ${STACK_NAME}_hql_api_${SECRET_HQL_API_VERSION}
    external: true

volumes:
  data: