services:
  voidauth: 
    image: voidauth/voidauth:latest
    restart: unless-stopped
    volumes:
      - ${CONFIG_ROOT}/voidauth/config:/app/config
    depends_on:
      voidauth-db:
        condition: service_healthy
    labels:
      traefik.enable: 'true'
      traefik.http.routers.voidauth.rule: "Host(`auth.${DOMAIN}`)"
      traefik.http.routers.voidauth.entryPoints: 'https'
      traefik.http.routers.voidauth.tls: 'true'
      traefik.http.middlewares.voidauth.forwardAuth.address: 'http://voidauth:3000/api/authz/forward-auth'
      traefik.http.middlewares.voidauth.forwardAuth.trustForwardHeader: 'true'
      traefik.http.middlewares.voidauth.forwardAuth.authResponseHeaders: 'Remote-User,Remote-Name,Remote-Email,Remote-Groups'

  voidauth-db:
    image: postgres:18
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: # required, same as voidauth DB_PASSWORD
    volumes:
      - ${CONFIGROOT}/voidauth/db:/var/lib/postgresql/18/docker
    healthcheck:
      test: "pg_isready -U postgres -h localhost"