version: '3.4'

services:

  mybunker:
    image: bunkerity/bunkerweb:1.4.0
    ports:
      - 80:8080
      - 443:8443
    # ⚠️ read this if you use local folders for volumes ⚠️
    # bunkerweb runs as an unprivileged user with UID/GID 101
    # don't forget to edit the permissions of the files and folders accordingly
    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
    # more info at https://docs.bunkerweb.io
    volumes:
      - bw_data:/data
    environment:
      - MULTISITE=yes
      - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - AUTO_LETS_ENCRYPT=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      # Proxy to auth_request URI
      - REVERSE_PROXY_URL_999=/authelia
      - REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
      # Authelia
      - auth.example.com_REVERSE_PROXY_URL=/
      - auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
      # Applications
      - app1.example.com_REVERSE_PROXY_URL=/
      - app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
      - app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
      - app2.example.com_REVERSE_PROXY_URL=/
      - app2.example.com_REVERSE_PROXY_HOST=http://app2
      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
      - app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email

  # APPLICATIONS
  app1:
    image: node
    working_dir: /home/node/app
    volumes:
      - ./js-app:/home/node/app
    environment:
      - NODE_ENV=production
    command: bash -c "npm install express && node index.js"
  app2:
    image: tutum/hello-world

  # AUTHELIA
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    restart: unless-stopped
    healthcheck:
      disable: true
    environment:
      - TZ=Europe/Paris

  redis:
    image: redis:alpine
    container_name: redis
    volumes:
      - ./redis:/data
    expose:
      - 6379
    restart: unless-stopped
    environment:
      - TZ=Europe/Paris

volumes:
  bw_data: