version: "3.8"

services:
  # kopia:
  #   image: kopia/kopia:latest
  #   container_name: kopia
  #   restart: unless-stopped
  #   # We explicitly run as root (0:0) to solve the CHDIR issue, 
  #   # OR we make sure the host folders match UID 1000.
  #   user: "0:0" 
  #   command:
  #     - server
  #     - start
  #     - --address=0.0.0.0:51515
  #     - --server-username=${KOPIA_SERVER_USER}
  #     - --server-password=${KOPIA_SERVER_PASSWORD}
  #     - --config-file=/app/config/repository.config
  #     - --disable-csrf-token-checks
  #     - --insecure
  #   environment:
  #     - TZ=America/Montreal
  #     - KOPIA_PASSWORD=${KOPIA_PASSWORD}
  #     - USER=${KOPIA_USER}
  #   volumes:
  #     - /mnt/HoardingCow_docker_data/Kopia/config:/app/config
  #     - /mnt/HoardingCow_docker_data/Kopia/cache:/app/cache
  #     - /mnt/HoardingCow_docker_data/Kopia/repository:/repository
  #     # Required if you want to use the 'Mount' feature later
  #     - /tmp:/tmp:shared
  #     # Required for mounting backups as drives
  #   cap_add:
  #     - SYS_ADMIN
  #   devices:
  #     - /dev/fuse:/dev/fuse
  #   networks:
  #     - traefik-net
  #   labels:
  #     - "traefik.enable=true"
  #     # 1. HTTP to HTTPS Redirect
  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
  #     - "traefik.http.routers.kopia-http.entrypoints=web"
  #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
  #     
  #     # 2. HTTPS Configuration
  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
  #     - "traefik.http.routers.kopia.entrypoints=websecure"
  #     - "traefik.http.routers.kopia.tls=true"
  #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
  #     
  #     # 3. Backend Service Config
  #     - "traefik.http.services.kopia.loadbalancer.server.port=51515"

  restic-server:
    image: restic/restic:latest
    container_name: restic-server
    restart: always 
    user: "0:0"
    command: ["server", "--listen", ":8080", "--repo", "/data", "--tls-cert", "", "--tls-key", ""]
    environment:
      - TZ=America/Montreal
      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
    volumes:
      - /mnt/HoardingCow_docker_data/Restic/data:/data
      # Mount paths to backup (adjust as needed)
      - /mnt/HoardingCow_docker_data:/source:ro
    networks:
      - backup_net
    labels:
      - "traefik.enable=false" # Internal only, accessed by restic-browser

  restic-browser:
    image: embergarage/restic-browser:latest
    container_name: restic-browser
    restart: always 
    environment:
      - TZ=America/Montreal
      - RESTIC_REPOSITORY=http://restic-server:8080
      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
    networks:
      - backup_net
    labels:
      - "traefik.enable=true"
      # 1. HTTP to HTTPS Redirect
      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.restic-browser-http.entrypoints=web"
      - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
      
      # 2. HTTPS Configuration
      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.restic-browser.entrypoints=websecure"
      - "traefik.http.routers.restic-browser.tls=true"
      - "traefik.http.routers.restic-browser.tls.certresolver=njalla"
      
      # 3. Backend Service Config
      - "traefik.http.services.restic-browser.loadbalancer.server.port=8000"

networks:
  backup_net:
    driver: bridge
    name: backup_net