services:
  grist:
    image: gristlabs/grist:latest
    environment:
      # Sets the header to look at for authentication
      GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User
      # Forces Grist to only use a single team called 'Example'
      GRIST_SINGLE_ORG: my-grist-team   # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
      # Force users to login (disable anonymous access)
      GRIST_FORCE_LOGIN: true
      # Base URL Grist redirects to when navigating. Change this to your domain.
      APP_HOME_URL: https://grist.localhost
      # Default email for the "Admin" account
      GRIST_DEFAULT_EMAIL: test@example.org
    volumes:
      # Where to store persistent data, such as documents.
      - ${PERSIST_DIR}/grist:/persist
    labels:
      - "traefik.http.services.grist.loadbalancer.server.port=8484"
      - "traefik.http.routers.grist.rule=Host(`grist.localhost`)"
      - "traefik.http.routers.grist.tls.certresolver=letsencrypt"
      - "traefik.http.routers.grist-auth.rule=Host(`grist.localhost`) && (PathPrefix(`/auth/login`) || PathPrefix(`/_oauth`))"
      - "traefik.http.routers.grist-auth.middlewares=grist-basic-auth@file"
      - "traefik.http.routers.grist-auth.tls.certresolver=letsencrypt"

  traefik:
    image: traefik:latest
    ports:
      # HTTP Ports
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      # - "8080:8080"
    volumes:
      # Set the config file for traefik - this is loaded automatically.
      - ./configs/traefik-config.yml:/etc/traefik/traefik.yml
      # Set the config file for the dynamic config, such as middleware.
      - ./configs/traefik-dynamic-config.yml:/etc/traefik/dynamic/dynamic-config.yml
      # Certificate location, if automatic certificate setup is enabled.
      - ./configs/acme:/acme
      # Traefik needs docker access when configured via docker labels.
      - /var/run/docker.sock:/var/run/docker.sock
    depends_on:
      - grist