name: frigate

secrets:
  frigate_rtsp_password:
    file: ${SECRETSDIR}/frigate_rtsp_password

networks:
  traefik-net:
    external: true

services:
  frigate:
    hostname: frigate
    privileged: true
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:stable
    cap_add:
      - CAP_PERFMON
      - CAP_NET_ADMIN
      - CAP_NET_RAW
    shm_size: 128mb
    devices:
      - /dev/apex_0:/dev/apex_0
      - /dev/dri/renderD128:/dev/dri/renderD128
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /db/frigate:/db
      - /opt/frigate/config.yml:/config/config.yml
      - /mnt/frigate/media:/media/frigate
      - type: tmpfs
        target: /tmp/cache
        tmpfs:
          size: 1000000000
      - /certs:/certs
    #ports:
    #  - 5000:5000 # (HTTP): Internal, unauthenticated access. Good for local access or Home Assistant integration, but should be blocked externally
    #  - 8554:8554 # (RTSP): For streaming camera feeds, especially the Birdseye view
    #  - 8555:8555/tcp # (WebRTC): For two-way audio and live streams, often used by mobile apps
    #  - 8555:8555/udp # (WebRTC): For two-way audio and live streams, often used by mobile apps
    #  - 8971:8971 # (HTTPS/WS): Main authenticated access for UI and API. Use with reverse proxies for TLS/SSL
    env_file: .frigate.env
    secrets:
      - frigate_rtsp_password
    networks:
      - traefik-net
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      - traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${INTERNAL_PORT}
      # to ensure connection from traefik to frigate backend is secure, set scheme to https
      #- traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.scheme=https
      - traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth"
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
      - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file
      - traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc