version: "3"
services:
  traefik:
    image: traefik:v2.3
    command:
      - "--accesslog=true"
      - "--api.insecure=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker=true"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  verify:
    image: pomerium/verify:latest
    labels:
      - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion"
      - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/"
      - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.verify.middlewares=pomerium@docker"

      - "traefik.enable=true"
      - "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)"
      - "traefik.http.routers.verify.entrypoints=websecure"
      - "traefik.http.routers.verify.tls=true"

  pomerium:
    build: ../.
    volumes:
      - ../../:/workspace:cached
    command: /bin/sh -c "while sleep 1000; do :; done"
    environment:
      - INSECURE_SERVER=TRUE
      - ADDRESS=:80
      - FORWARD_AUTH_URL=http://pomerium
      - JWT_CLAIMS_HEADERS="email,groups,user"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pomerium.rule=Host(`authenticate.localhost.pomerium.io`)"
      - "traefik.http.routers.pomerium.entrypoints=websecure"
      - "traefik.http.routers.pomerium.tls=true"
    expose:
      - 80