version: '3.7'
services:
  traefik:
    image: traefik:2.1.6
    command:
      - "--api"
      - "--api.dashboard"
      - "--log.level=DEBUG"
      - "--providers.docker"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.network=traefikbig"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.forwardedHeaders.trustedIPs={{ proxy_ip }}"  # The ips of our upstream proxies
      - "--entryPoints.webs.address=:443"
      - "--entryPoints.webs.forwardedHeaders.trustedIPs={{ proxy_ip }}"  # The ips of our upstream proxies
    ports:
      - {{ http_port }}:80
      {% if https_port is defined %}
      - {{ https_port }}:443
      {% endif %}
    networks:
      - traefikbig
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.http.routers.traefik-api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/traefik`)"
        {% if https_port is defined %}
        - "traefik.http.routers.traefik-api.tls=true"
        - "traefik.http.routers.traefik-api.entryPoints=webs"
        {% else %}
        - "traefik.http.routers.traefik-api.entryPoints=web"
        {% endif %}
        - "traefik.http.routers.traefik-api.service=api@internal"
        - "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik"
        - "traefik.http.middlewares.traefik-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://{{ authentication_domain_name }}/"
        - "traefik.http.middlewares.traefik-auth.forwardauth.trustForwardHeader=true"
        {% if https_port is defined %}
        - "traefik.http.routers.traefik-api.middlewares=traefik-auth,traefik-strip"
        {% else %}
        - "traefik.http.routers.traefik-api.middlewares=traefik-strip"
        {% endif %}
        # Dummy service for Swarm port detection. The port can be any valid integer value.
        - "traefik.http.services.traefik-svc.loadbalancer.server.port=9999"
        # Some generally useful middlewares for organisms hosting
        - "traefik.http.middlewares.sp-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://{{ authentication_domain_name }}/"
        - "traefik.http.middlewares.sp-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.sp-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups"
        {% if https_port is defined %}
        - "traefik.http.middlewares.sp-trailslash.redirectregex.regex=^(https?://[^/]+/sp/[^/]+)$$"
        {% else %}
        - "traefik.http.middlewares.sp-trailslash.redirectregex.regex=^(http?://[^/]+/sp/[^/]+)$$"
        {% endif %}
        - "traefik.http.middlewares.sp-trailslash.redirectregex.replacement=$${1}/"
        - "traefik.http.middlewares.sp-trailslash.redirectregex.permanent=true"
        {% if https_port is defined %}
        - "traefik.http.middlewares.sp-app-trailslash.redirectregex.regex=^(https?://[^/]+/sp/[^/]+/[^/]+)$$"
        {% else %}
        - "traefik.http.middlewares.sp-app-trailslash.redirectregex.regex=^(http?://[^/]+/sp/[^/]+/[^/]+)$$"
        {% endif %}
        - "traefik.http.middlewares.sp-app-trailslash.redirectregex.replacement=$${1}/"
        - "traefik.http.middlewares.sp-app-trailslash.redirectregex.permanent=true"
        - "traefik.http.middlewares.sp-prefix.stripprefixregex.regex=/sp/[^/]+"
        - "traefik.http.middlewares.sp-app-prefix.stripprefixregex.regex=/sp/[^/]+/[^/]+"
        - "traefik.http.middlewares.tripal-addprefix.addprefix.prefix=/tripal"
        - "traefik.http.middlewares.sp-big-req.buffering.maxRequestBodyBytes=50000000"
        - "traefik.http.middlewares.sp-huge-req.buffering.maxRequestBodyBytes=2000000000"
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s

  {% if https_port is defined %}
  authelia:
    image: authelia/authelia:4.12.0
    networks:
      - traefikbig
    depends_on:
        - authelia-redis
        - authelia-db
    volumes:
      - ./authelia/:/etc/authelia/:ro
    {% if authelia_secrets_env_path is defined %}
    env_file:
      - {{authelia_secrets_env_path}}
    {% endif %}
    deploy:
      labels:
        - "traefik.http.routers.authelia.rule=Host(`{{ authentication_domain_name }}`)"
        - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s

  authelia-redis:
    image: redis:5.0.7-alpine
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
      - ./authelia-redis/:/data/
    networks:
      - traefikbig
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s

  authelia-db:
      image: postgres:12.2-alpine
      environment:
          POSTGRES_PASSWORD: {{ authelia_db_postgres_password }}
      volumes:
          - ./docker_data/authelia_db/:/var/lib/postgresql/data/
      networks:
          - traefikbig
      deploy:
        restart_policy:
          condition: on-failure
          delay: 5s
          max_attempts: 3
          window: 120s
  {% endif %}
  
networks:
  traefikbig:
    driver: overlay
    name: traefikbig
    ipam:
      config:
        - subnet: 10.50.0.0/16