services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v3.11.0@sha256:599c5cd87449e3cfc0cc02e373c145d029bb681d5a7ce7994b51cbb2e1d9e272
    container_name: mealie
    restart: unless-stopped
    environment:
      - TZ=Europe/Warsaw
      - BASE_URL=https://${MEALIE_DOMAIN}
      
      - ALLOW_SIGNUP=false
      - ALLOW_PASSWORD_LOGIN=false
      - PUID=1000
      - PGID=1000

      - OIDC_AUTH_ENABLED=true
      - OIDC_PROVIDER_NAME=Authentik
      - OIDC_CLIENT_ID_FILE=/run/secrets/mealie_oidc_client_id
      - OIDC_CLIENT_SECRET_FILE=/run/secrets/mealie_oidc_client_secret
      - OIDC_CONFIGURATION_URL=https://authentik-server:9000/application/o/authentik/.well-known/openid-configuration
      - OIDC_ADMIN_GROUP=mealie-admins
      - OIDC_USER_GROUP=mealie-users
      - OIDC_AUTO_REDIRECT=false
      - OIDC_REMEMBER_ME=true
    networks:
      - homelab_apps
    volumes:
      - mealie_data:/app/data/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mealie.rule=Host(`${MEALIE_DOMAIN}`)"
      - "traefik.http.routers.mealie.entrypoints=websecure"
      - "traefik.http.routers.mealie.tls=true"
      - "traefik.http.routers.mealie.tls.certresolver=le"
      - "traefik.http.services.mealie.loadbalancer.server.port=9000"

volumes:
  mealie_data:
    driver: local

networks:
  homelab_apps:
    external: true

secrets:
  mealie_oidc_client_id:
    environment: MEALIE_OIDC_CLIENT_ID
  mealie_oidc_client_secret:
    environment: MEALIE_OIDC_CLIENT_SECRET