# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/

name: pihole

networks:
  traefik-net:
    external: true
    
secrets:
  pihole_webpassword:
    file: ${SECRETSDIR}/pihole_webpassword
    
services:
  pihole:
    image: pihole/pihole:latest
    hostname: pihole
    env_file: .pihole.env
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
#    ports:
#      - "53:53/tcp"
#      - "53:53/udp"
#      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
#      - "80:80/tcp"
    networks:
      - traefik-net
    # Volumes store your data between container upgrades
    volumes:
      - "${DATADIR}/config:/etc/pihole"
      - "${DATADIR}/appdata:/etc/dnsmasq.d"
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
#    cap_add:
#      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
    secrets:
      - pihole_webpassword
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      # http middlewares
      # ---------------------------
      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
      #
      # http services
      # -------------
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
      #
      # http routers
      # ------------
      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
      # assign svc target to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      #
      # limit router to websecure ":443" entrypoint
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      # set match criteria for router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      # set router to be dedicated to secure requests only for the host specified in match criteria 
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      # generate certificates using following certresolver
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
      # attach middlewares to routers
      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
      # assign svc target to routers
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"