secrets:
  # These secrets are used by Authelia
  JWT_SECRET:
    file: ${SECRETS_DIR}/JWT_SECRET
  SESSION_SECRET:
    file: ${SECRETS_DIR}/SESSION_SECRET
  STORAGE_ENCRYPTION_KEY:
    file: ${SECRETS_DIR}/STORAGE_ENCRYPTION_KEY
  # These secrets are for using Authelia as an OIDC provider
  HMAC_SECRET:
    file: ${SECRETS_DIR}/HMAC_SECRET
  JWT_PRIVATE_KEY:
    file: ${SECRETS_DIR}/certs/private.pem
  GRIST_CLIENT_SECRET_DIGEST:
    file: ${SECRETS_DIR}/GRIST_CLIENT_SECRET_DIGEST

services:
  grist:
    image: gristlabs/grist:latest
    environment:
      # The URL of given OIDC provider. Used for redirects, among other things.
      GRIST_OIDC_IDP_ISSUER: https://${AUTHELIA_DOMAIN}
      # Client ID, as configured with the OIDC provider.
      GRIST_OIDC_IDP_CLIENT_ID: grist-local
      # Client secret, as provided by the OIDC provider.
      GRIST_OIDC_IDP_CLIENT_SECRET: ${GRIST_CLIENT_SECRET}
      # The URL to redirect to with the OIDC provider to log out.
      # Some OIDC providers will automatically configure this.
      GRIST_OIDC_IDP_END_SESSION_ENDPOINT: https://${AUTHELIA_DOMAIN}/logout
      # Allow self-signed certificates so this example behaves correctly.
      # REMOVE THIS IF HOSTING ON THE INTERNET.
      NODE_TLS_REJECT_UNAUTHORIZED: 0

      # Forces Grist to only use a single team called 'Example'
      GRIST_SINGLE_ORG: my-grist-team   # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
      # Force users to login (disable anonymous access)
      GRIST_FORCE_LOGIN: true
      # Base URL Grist redirects to when navigating. Change this to your domain.
      APP_HOME_URL: https://${GRIST_DOMAIN}
      # Default email for the "Admin" account
      GRIST_DEFAULT_EMAIL: ${DEFAULT_EMAIL:-test@example.org}
    restart: always
    volumes:
      # Where to store persistent data, such as documents.
      - ${PERSIST_DIR}/grist:/persist
    labels:
      - "traefik.http.services.grist.loadbalancer.server.port=8484"
      - "traefik.http.routers.grist.rule=Host(`${GRIST_DOMAIN}`)"
      - "traefik.http.routers.grist.service=grist"
      # Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
      #- "traefik.http.routers.grist.tls.certresolver=letsencrypt"
    depends_on:
      # Grist attempts to setup OIDC when it starts, making a request to the OIDC service.
      # This will fail if Authelia isn't ready and reachable.
      # Traefik will only start routing to Authelia when it's registered as healthy.
      # Making Grist wait for Authelia to be healthy should avoid this issue.
      authelia:
        condition: service_healthy
      traefik:
        condition: service_started

  traefik:
    image: traefik:latest
    ports:
      # HTTP Ports
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
      - "8082:8082"
    volumes:
      # Set the config file for traefik - this is loaded automatically.
      - ./configs/traefik/config.yml:/etc/traefik/traefik.yml
      # Certificate location, if automatic certificate setup is enabled.
      - ./secrets/acme_certificates:/acme
      # Traefik needs docker access when configured via docker labels.
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      default:
        aliases:
          # Enables Grist to resolve this domain to Traefik when doing OIDC setup.
          - ${AUTHELIA_DOMAIN}

  authelia:
    image: authelia/authelia:4
    secrets:
      - HMAC_SECRET
      - JWT_SECRET
      - JWT_PRIVATE_KEY
      - GRIST_CLIENT_SECRET_DIGEST
      - SESSION_SECRET
      - STORAGE_ENCRYPTION_KEY
    environment:
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
      HMAC_SECRET_FILE: '/run/secrets/HMAC_SECRET'
      JWT_PRIVATE_KEY_FILE: '/run/secrets/JWT_PRIVATE_KEY'
      # Domain Grist is hosted at. Custom variable that's interpolated into the Authelia config
      APP_DOMAIN: ${GRIST_DOMAIN}
      # Where Authelia should redirect to after successful authentication.
      GRIST_OAUTH_CALLBACK_URL: https://${GRIST_DOMAIN}/oauth2/callback
      # Hash of the client secret provided to Grist.
      GRIST_CLIENT_SECRET_DIGEST_FILE: "/run/secrets/GRIST_CLIENT_SECRET_DIGEST"
    volumes:
      - ./configs/authelia:/config
      - ${PERSIST_DIR}/authelia:/persist
    command:
      - 'authelia'
      - '--config=/config/configuration.yml'
      # Enables templating in the config file
      - '--config.experimental.filters=template'
    labels:
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      - "traefik.http.routers.authelia.rule=Host(`${AUTHELIA_DOMAIN}`)"
      - "traefik.http.routers.authelia.service=authelia"
      # Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
      #- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"