# gluetun for arr apps
# to use gluetun from apps in other projects, use network_mode: "container:gluetun-arr"
# access apps in this project with 127.0.0.1:PORT, e.g. to access qbittorrent use localhost:10095
# NB: Start gluetun-arr first, before starting depending apps in other projects
#     Stop & inactivate depending apps in other projects first, before stopping this gluetun-arr

# we will use 10.255.239.0/24 block of the traefik subnet for containers that have to connect to arr apps
# See .static-ips.yml for static ip addresses

name: gluetun-qb

networks:
  traefik-net:
    external: true

secrets:
  wireguard_private_key:
    file: ${SECRETSDIR}/wireguard_private_key

services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    env_file: .${QBIT_APP}.env
    network_mode: "service:gluetun"
    volumes:
      - "${DATAROOT}/${QBIT_APP}/config:/config"
      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
      - "${RECYCLINGDIR}/${QBIT_APP}:${CT_RECYCLINGBIN}:rw"
    restart: unless-stopped
    depends_on:
      gluetun:
        condition: service_healthy

  flaresolverr:
    # DockerHub mirror flaresolverr/flaresolverr:latest
    image: ghcr.io/flaresolverr/flaresolverr:latest
#    container_name: flaresolverr
    env_file: .${FLARESOLVERR_APP}.env
    network_mode: "service:gluetun"
    restart: unless-stopped

  gluetun:
    image: qmcgaw/gluetun:latest
    #hostname: gluetun-qb
    env_file: .gluetun.env
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    volumes:
      - "${DATADIR}/appdata:/gluetun"
    secrets:
      - wireguard_private_key
    networks:
      traefik-net:
        ipv4_address: 10.255.239.3  # to access services in this project from other containers; hostnames and aliases will not work
    restart: always
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ##################################################################################
      ################################# QBIT_APP ##################################
      #
      # http services
      # -------------
      - "traefik.http.services.${QBIT_APP}-gt-svc.loadbalancer.server.port=${QBIT_PORT}"
      #
      # http routers
      # ------------
      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
      - "traefik.http.routers.${QBIT_APP}-rtr.entrypoints=web"
      # set match criteria for router
      - "traefik.http.routers.${QBIT_APP}-rtr.rule=Host(`${QBIT_URL}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${QBIT_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
       # assign svc target to router
      - "traefik.http.routers.${QBIT_APP}-rtr.service=${QBIT_APP}-gt-svc"
      #
      # limit router to websecure ":443" entrypoint
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.entrypoints=websecure"
      # set match criteria for router
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.rule=Host(`${QBIT_URL}`)&& PathPrefix(`/`)"
      # set router to be dedicated to secure requests only for the host specified in match criteria 
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls=true"
      # apply tls options
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.options=tls-options@file"
      # generate certificates using following certresolver
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.certresolver=solver-dns"
      # attach middlewares to routers
      #- "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=${QBIT_APP}-auth"
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      # assign svc target to router
      - "traefik.http.routers.${QBIT_APP}-secure-rtr.service=${QBIT_APP}-gt-svc"
      
      ##################################################################################
      ################################# FLARESOLVERR_APP ##################################
      - "traefik.http.services.${FLARESOLVERR_APP}-gt-svc.loadbalancer.server.port=${FLARESOLVERR_PORT}"
      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.entrypoints=web"
      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.rule=Host(`${FLARESOLVERR_URL}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.service=${FLARESOLVERR_APP}-gt-svc"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.rule=Host(`${FLARESOLVERR_URL}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls=true"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.certresolver=solver-dns"
      #- "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=${FLARESOLVERR_APP}-auth"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.service=${FLARESOLVERR_APP}-gt-svc"
      
      ##################################################################################