services:
  minio:
    image: quay.io/minio/minio:{{ minio_version }}
    container_name: minio
    restart: unless-stopped
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: "{{ minio_root_user }}"
      MINIO_ROOT_PASSWORD: "{{ minio_root_password }}"
      MINIO_BROWSER_REDIRECT_URL: "https://{{ minio_console_domain }}"
      MINIO_IDENTITY_OPENID_CONFIG_URL: "https://{{ authentik_domain }}/application/o/minio/.well-known/openid-configuration"
      MINIO_IDENTITY_OPENID_CLIENT_ID: "minio"
      MINIO_IDENTITY_OPENID_CLIENT_SECRET: "changeme_minio_oidc_secret"
      MINIO_IDENTITY_OPENID_CLAIM_NAME: "policy"
      MINIO_IDENTITY_OPENID_REDIRECT_URI: "https://{{ minio_console_domain }}/oauth_callback"
    ports:
      - "127.0.0.1:9010:9000"
    volumes:
      - {{ minio_data_dir }}/data:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.minio-api.rule=Host(`{{ minio_domain }}`)"
      - "traefik.http.routers.minio-api.tls=true"
      - "traefik.http.routers.minio-api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.minio-api.service=minio-api"
      - "traefik.http.services.minio-api.loadbalancer.server.port=9000"
      - "traefik.http.routers.minio-console.rule=Host(`{{ minio_console_domain }}`)"
      - "traefik.http.routers.minio-console.tls=true"
      - "traefik.http.routers.minio-console.tls.certresolver=letsencrypt"
      - "traefik.http.routers.minio-console.service=minio-console"
      - "traefik.http.services.minio-console.loadbalancer.server.port=9001"
    networks:
      - {{ sovereign_network_name }}
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "minio"

networks:
  {{ sovereign_network_name }}:
    external: true