---
version: "3.8"

services:
  app:
    volumes:
      - "simplesaml:/var/simplesamlphp/"
      - "simplesaml_cert:/var/simplesamlphp/cert"
      - "simplesaml_config:/var/simplesamlphp/config"
      - "simplesaml_data:/var/simplesamlphp/data"
      - "simplesaml_log:/var/simplesamlphp/log"
      - "simplesaml_metadata:/var/simplesamlphp/metadata"
      - "simplesaml_modules:/var/simplesamlphp/modules"
    environment:
      - SAML_AUTH_SOURCE_ID
      - SAML_EMAIL_ATTRIBUTE
      - SAML_REAL_NAME_ATTRIBUTE
      - SAML_SERVICE_PROVIDER
      - SAML_USERNAME_ATTRIBUTE

  simplesaml:
    # image: unicon/simplesamlphp:1.19.6
    image: git.coopcloud.tech/coop-cloud-chaos-patchs/simplesamlphp:1.19.7
    secrets:
      - saml_admin_password
      - saml_secret_salt
    environment:
      - DOMAIN
      - CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
      - CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
      - CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
      - CONFIG_TECHNICALCONTACT_NAME
      - CONFIG_TECHNICALCONTACT_EMAIL
      - CONFIG_SHOWERRORS=true
      - CONFIG_ERRORREPORTING=true
      - CONFIG_ADMINPROTECTINDEXPAGE=true
      - CONFIG_LOGGINGLEVEL=INFO
      - CONFIG_ENABLESAML20IDP=true
      - CONFIG_STORETYPE=sql
      #- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
      #- CONFIG_MEMCACHESTORESERVERS=    'memcache_store.servers' => [\n        [\n             ['hostname' => 'memcached']\n        ],
      - OPENLDAP_TLS_REQCERT=allow
      - MTA_NULLCLIENT=true
      - POSTFIX_MYHOSTNAME=${DOMAIN}
      - POSTFIX_MYORIGIN=$$mydomain
      - POSTFIX_INETINTERFACES=loopback-only
      - DOCKER_REDIRECTLOGS=false
    # Required if DOCKER_REDIRECTLOGS=true
    # tty: true
    configs:
      - source: entrypoint_saml_conf
        target: /docker-entrypoint.simplesaml.sh
        mode: 0555
    volumes:
      - simplesaml:/var/simplesamlphp/
      - "simplesaml_cert:/var/simplesamlphp/cert"
      - "simplesaml_config:/var/simplesamlphp/config"
      - "simplesaml_data:/var/simplesamlphp/data"
      - "simplesaml_log:/var/simplesamlphp/log"
      - "simplesaml_metadata:/var/simplesamlphp/metadata"
      - "simplesaml_modules:/var/simplesamlphp/modules"
    networks:
      - proxy
    entrypoint: /docker-entrypoint.simplesaml.sh
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
        - "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"

volumes:
  simplesaml:
  simplesaml_cert:
  simplesaml_config:
  simplesaml_data:
  simplesaml_log:
  simplesaml_metadata:
  simplesaml_modules:

secrets:
  saml_admin_password:
    name: ${STACK_NAME}_saml_admin_password_${SECRET_SAML_ADMIN_PASSWORD_VERSION}
    external: true
  saml_secret_salt:
    name: ${STACK_NAME}_saml_secret_salt_${SECRET_SAML_SECRET_SALT_VERSION}
    external: true

configs:
  entrypoint_saml_conf:
    name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
    file: entrypoint.simplesaml.sh.tmpl
    template_driver: golang