services:
  drawio:
    image: {{ drawio_image }}
    container_name: {{ drawio_service_name }}
    restart: unless-stopped
    networks:
      - {{ drawio_traefik_network }}
{% if drawio_extra_hosts is defined and drawio_extra_hosts | length > 0 %}
    extra_hosts:
{% for host in drawio_extra_hosts %}
      - "{{ host }}"
{% endfor %}
{% endif %}
    labels:
      - traefik.enable=true
      - traefik.docker.network={{ drawio_traefik_network }}
      - traefik.http.routers.{{ drawio_service_name }}.rule=Host(`{{ drawio_domain }}`)
      - traefik.http.services.{{ drawio_service_name }}.loadbalancer.server.port={{ drawio_port }}
{% if drawio_use_ssl %}
      - traefik.http.routers.{{ drawio_service_name }}.entrypoints=websecure
      - traefik.http.routers.{{ drawio_service_name }}.tls=true
{% else %}
      - traefik.http.routers.{{ drawio_service_name }}.entrypoints=web
{% endif %}
{% if drawio_authentik_forward_auth | default(false) %}
      # ForwardAuth via the authentik embedded outpost. Unauthenticated
      # requests get redirected to authentik to log in; authentik then
      # sets X-Authentik-* headers traefik forwards downstream.
      - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.address={{ drawio_authentik_forward_auth_url }}
      - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
      - traefik.http.routers.{{ drawio_service_name }}.middlewares={{ drawio_service_name }}-authentik
{% endif %}

networks:
  {{ drawio_traefik_network }}:
    external: true