name: "authelia"
services:
  app:
    image: authelia/authelia:latest
    restart: unless-stopped
    depends_on:
      - database
      - redis
    volumes:
      - ./config/authelia:/config
    ports:
      - "9091:9091"
    environment:
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /run/secrets/jwt_secret
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/session_secret
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_pass
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_encryption_key
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/postgres_pass
      AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /run/secrets/redis_pass
      AUTHELIA_THEME: auto
      AUTHELIA_LOG_LEVEL: debug
      AUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH: /run/secrets/users_database
      AUTHELIA_TOTP_ISSUER: tremendousturtle.tools
      AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: deny
      AUTHELIA_SESSION_REDIS_HOST: redis
      AUTHELIA_SESSION_REDIS_PORT: 6379
      AUTHELIA_STORAGE_POSTGRES_ADDRESS: tcp://database:5432
      AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
      AUTHELIA_STORAGE_POSTGRES_USERNAME: authelia
      AUTHELIA_NOTIFIER_SMTP_ADDRESS: submissions://smtp.mailgun.org:465
      AUTHELIA_NOTIFIER_SMTP_USERNAME: auth@mail.tremendousturtle.tools
      AUTHELIA_NOTIFIER_SMTP_SENDER: Authelia <auth@tremendousturtle.tools>
    secrets:
      - jwt_secret
      - session_secret
      - smtp_pass
      - storage_encryption_key
      - postgres_pass
      - redis_pass
      - users_database
    labels:
      - homepage.group=Utility
      - homepage.name=Authelia
      - homepage.icon=authelia
      - homepage.href=https://auth.tremendousturtle.tools/
      - homepage.description=Authentication

  database:
    image: postgres:15
    restart: unless-stopped
    volumes:
      - ./data/postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: authelia
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_pass
    secrets:
      - postgres_pass

  redis:
    image: redis:7
    restart: unless-stopped
    environment:
      REDIS_PASSWORD_FILE: /run/secrets/redis_pass
    command: sh -c "redis-server --save 60 1 --loglevel warning --requirepass $(cat $$REDIS_PASSWORD_FILE)"
    volumes:
      - ./data/redis:/data
    secrets:
      - redis_pass

secrets:
  postgres_pass:
    file: ./secrets/POSTGRES_PASS
  jwt_secret:
    file: ./secrets/JWT_SECRET
  session_secret:
    file: ./secrets/SESSION_SECRET
  smtp_pass:
    file: ./secrets/SMTP_PASSWORD
  storage_encryption_key:
    file: ./secrets/STORAGE_ENCRYPTION_KEY
  redis_pass:
    file: ./secrets/REDIS_PASSWORD
  users_database:
    file: ./secrets/users_database.yml