name: authentication

services:
  authelia:
    hostname: authelia
    image: authelia/authelia
    command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml
    environment:
      PUID: ${NASCOMPOSE_UID?}
      PGID: ${NASCOMPOSE_GID?}
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /run/secrets/jwt_secret
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_key
      AUTHELIA_NOTIFIER_SMTP_ADDRESS: ${NASCOMPOSE_AUTHELIA_SMTP_ADDRESS?}
      AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?}
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
      AUTHELIA_NOTIFIER_SMTP_SENDER: "authelia@${NASCOMPOSE_DOMAIN?}"
      X_AUTHELIA_CONFIG_FILTERS: template
      TEMPLATE_NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
    networks:
      - reverse-proxy
      - default
    volumes:
      - ${NASCOMPOSE_SERVICES?}/authentication/volumes/authelia_config/:/config/
      # Configuration
      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_configuration.yml:/etc/authelia/configuration.yml:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_access.yml:/etc/authelia/access.yml:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_authentication.yml:/etc/authelia/authentication.yml:ro
      # Secrets
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_jwt_secret:/run/secrets/jwt_secret:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_storage_key:/run/secrets/storage_key:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_smtp_password:/run/secrets/smtp_password:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_oidcsecret:/run/secrets/oidcsecret:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_oidc.key:/run/secrets/oidc.key:ro
    restart: unless-stopped
    labels:
      traefik.enable: true

  lldap:
    image: lldap/lldap
    environment:
      UID: ${NASCOMPOSE_UID?}
      GID: ${NASCOMPOSE_GID?}
      LLDAP_JWT_SECRET_FILE: /run/secrets/jwt_secret
      LLDAP_KEY_SEED_FILE: /run/secrets/key_seed
    networks:
      - reverse-proxy
      - default
    volumes:
      - ${NASCOMPOSE_SERVICES?}/authentication/volumes/lldap_data:/data
      # Secrets
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_jwt_secret:/run/secrets/jwt_secret:ro
      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_key_seed:/run/secrets/key_seed:ro
    labels:
      traefik.enable: true
      traefik.http.services.lldap.loadbalancer.server.port: 17170

networks:
  reverse-proxy:
    external: true