services:
  homer:
    image: b4bz/homer
    container_name: homer
    environment:
      - UID=1000
      - GID=1000
      - TZ=America/Toronto
      - PORT=8080
    volumes:
      - /mnt/HoardingCow_docker_data/Homer/assets:/www/assets:rw
    restart: unless-stopped
    networks:
      - traefik-net
    labels:
      - "traefik.enable=true"

      # HTTP → HTTPS redirect
      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
      - "traefik.http.routers.homer-http.entrypoints=web"
      - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      # HTTPS router protected by Authelia
      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
      - "traefik.http.routers.homer-https.entrypoints=websecure"
      - "traefik.http.routers.homer-https.tls=true"
      - "traefik.http.routers.homer-https.tls.certresolver=njalla"
      - "traefik.http.routers.homer-https.middlewares=homer-auth"

      # Authelia forwardAuth
      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
      - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"

      # Internal port
      - "traefik.http.services.homer.loadbalancer.server.port=8080"

networks:
  traefik-net:
    external: true