services:
  uptimekuma:
    image: louislam/uptime-kuma:{{ uptimekuma_version }}
    container_name: uptimekuma
    restart: unless-stopped
    volumes:
      - {{ uptimekuma_data_dir }}/data:/app/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.uptimekuma.rule=Host(`{{ uptimekuma_domain }}`)"
      - "traefik.http.routers.uptimekuma.tls=true"
      - "traefik.http.routers.uptimekuma.tls.certresolver=letsencrypt"
      - "traefik.http.routers.uptimekuma.middlewares=uptimekuma-auth@docker"
      - "traefik.http.services.uptimekuma.loadbalancer.server.port=3001"
      # Authentik forward auth — protects the dashboard with Authentik SSO.
      # Pre-requisite: create a Proxy Provider (Forward Auth, single application)
      # in Authentik pointing to https://{{ uptimekuma_domain }}, then add it
      # to the embedded outpost.
      - "traefik.http.middlewares.uptimekuma-auth.forwardauth.address=https://{{ authentik_domain }}/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.uptimekuma-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.uptimekuma-auth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
    networks:
      - {{ sovereign_network_name }}
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "uptimekuma"

networks:
  {{ sovereign_network_name }}:
    external: true