version: "3.9"

services:
  fava:
    image: yegle/fava
    container_name: fava

    environment:
      - BEANCOUNT_FILE=/data/beancount_finance_vault/ledger/main/tpouplier.beancount

    volumes:
      - /mnt/HoardingCow_docker_data/Fava:/data

    networks:
      - traefik-net

    restart: unless-stopped

    labels:
      - "traefik.enable=true"

      # HTTP → HTTPS redirect
      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
      - "traefik.http.routers.fava-http.entrypoints=web"
      - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      # HTTPS router protected by Authelia
      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
      - "traefik.http.routers.fava-https.entrypoints=websecure"
      - "traefik.http.routers.fava-https.tls=true"
      - "traefik.http.routers.fava-https.tls.certresolver=njalla"
      - "traefik.http.routers.fava-https.middlewares=fava-auth"

      # Authelia forwardAuth
      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
      - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"

      # Internal port
      - "traefik.http.services.fava.loadbalancer.server.port=5000"

networks:
  traefik-net:
    external: true