services:
  voidauth: 
    image: voidauth/voidauth:latest
    restart: unless-stopped
    volumes:
      - ${CONFIG_ROOT}/voidauth/config:/app/config
    depends_on:
      voidauth-db:
        condition: service_healthy
    labels:
      traefik.enable: 'true'
      traefik.http.routers.voidauth.rule: "Host(`auth.${DOMAIN}`)"
      traefik.http.routers.voidauth.entryPoints: 'https'
      traefik.http.routers.voidauth.tls: 'true'
      traefik.http.services.voidauth.loadbalancer.server.port: "3000"
      traefik.http.middlewares.voidauth.forwardAuth.address: 'http://voidauth:3000/api/authz/forward-auth'
      traefik.http.middlewares.voidauth.forwardAuth.trustForwardHeader: 'true'
      traefik.http.middlewares.voidauth.forwardAuth.authResponseHeaders: 'Remote-User,Remote-Name,Remote-Email,Remote-Groups'
      traefik.docker.network: "traefik_public"
    networks:
      - internal
      - traefik_public
    env_file:
      - .env

  voidauth-db:
    image: postgres:18
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: # required, same as voidauth DB_PASSWORD
    volumes:
      - ${CONFIG_ROOT}/voidauth/db:/var/lib/postgresql/18/docker
    healthcheck:
      test: "pg_isready -U postgres -h localhost"
    networks:
      - internal
    env_file:
      - .env

networks:
  internal:
    driver: bridge
  traefik_public:
    external: true