version: "3.8"

services:
  kopia:
    image: kopia/kopia:latest
    container_name: kopia
    restart: unless-stopped
    # We explicitly run as root (0:0) to solve the CHDIR issue, 
    # OR we make sure the host folders match UID 1000.
    user: "0:0" 
    command:
      - server
      - start
      - --address=0.0.0.0:51515
      - --server-username=${KOPIA_SERVER_USER}
      - --server-password=${KOPIA_SERVER_PASSWORD}
      - --config-file=/app/config/repository.config
      - --disable-csrf-token-checks
      - --insecure
    environment:
      - TZ=America/Montreal
      - KOPIA_PASSWORD=${KOPIA_PASSWORD}
      - USER=${KOPIA_USER}
    volumes:
      - /mnt/HoardingCow_docker_data/Kopia/config:/app/config
      - /mnt/HoardingCow_docker_data/Kopia/cache:/app/cache
      - /mnt/HoardingCow_docker_data/Kopia/repository:/repository
      # Required if you want to use the 'Mount' feature later
      - /tmp:/tmp:shared
      # Required for mounting backups as drives
    cap_add:
      - SYS_ADMIN
    devices:
      - /dev/fuse:/dev/fuse
    networks:
      - traefik-net
    labels:
      - "traefik.enable=true"
      # 1. HTTP to HTTPS Redirect
      - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.kopia-http.entrypoints=web"
      - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
      
      # 2. HTTPS Configuration
      - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.kopia.entrypoints=websecure"
      - "traefik.http.routers.kopia.tls=true"
      - "traefik.http.routers.kopia.tls.certresolver=njalla"
      
      # 3. Backend Service Config
      - "traefik.http.services.kopia.loadbalancer.server.port=51515"

networks:
  traefik-net:
    external: true