version: "3"
services:
  traefik:
    image: traefik:v2.1
    command:
      - "--accesslog=true"
      - "--api.insecure=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker=true"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  verify:
    image: pomerium/verify:latest
    labels:
      - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion"
      - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/"
      - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"

      - "traefik.http.routers.verify.middlewares=pomerium@docker"
      - "traefik.enable=true"
      - "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)"
      - "traefik.http.routers.verify.entrypoints=websecure"
      - "traefik.http.routers.verify.tls=true"

  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      - ./config.yaml:/pomerium/config.yaml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pomerium.rule=Host(`authenticate.localhost.pomerium.io`)"
      - "traefik.http.routers.pomerium.entrypoints=websecure"
      - "traefik.http.routers.pomerium.tls=true"
    expose:
      - 80