version: "3.8"

secrets:
  JWT_SECRET:
    file: ../secrets/authelia/JWT_SECRET
  SESSION_SECRET:
    file: ../secrets/authelia/SESSION_SECRET
  STORAGE_PASSWORD:
    file: ../secrets/authelia/STORAGE_PASSWORD
  STORAGE_ENCRYPTION_KEY:
    file: ../secrets/authelia/STORAGE_ENCRYPTION_KEY

services:
  authelia:
    container_name: authelia
    image: docker.io/authelia/authelia:4.37
    userns_mode: keep-id
    depends_on:
      - postgres
      - secrets
      - caddy
    restart: unless-stopped
    expose:
      - 9091
    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
    environment:
      PUID: 1000
      PGID: 1000
      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
    volumes:
      - ../data/authelia/config:/config

  postgres:
    image: postgres:16.0-alpine
    depends_on:
      - secrets
      - caddy
    secrets: [STORAGE_PASSWORD]
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      POSTGRES_DB: authelia
      POSTGRES_USER: authelia
    volumes:
      - postgres-data:/var/lib/postgresql/data

  # setup a reverse proxy for caddy
  caddy:
    volumes:
      - ./authelia/Proxyfile:/etc/caddy.d/authelia:ro

  # backup the authelia config
  backup:
    volumes:
      - ../data/authelia/config:/mnt/backup/src/authelia/config:ro

  # generate all these secrets if they are empty on start
  secrets:
    volumes:
      - ../secrets/authelia/JWT_SECRET:/secrets/authelia/JWT_SECRET
      - ../secrets/authelia/SESSION_SECRET:/secrets/authelia/SESSION_SECRET
      - ../secrets/authelia/STORAGE_PASSWORD:/secrets/authelia/STORAGE_PASSWORD
      - ../secrets/authelia/STORAGE_ENCRYPTION_KEY:/secrets/authelia/STORAGE_ENCRYPTION_KEY

volumes:
  postgres-data:
  authelia-config: