version: '3.9'

services:
  wgui:
    container_name: wgui
    image: wireguard-ui:latest
    read_only: true
    environment:
      - DISABLE_LOGIN=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./wireguard:/etc/wireguard

  oauth2-proxy:
    container_name: wg-oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    read_only: true
    command:
      --provider="oidc"
      --client-id="$CLIENT_ID"
      --client-secret="$CLIENT_SECRET"
      --login-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/auth
      --redeem-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/token
      --profile-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/userinfo
      --validate-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/userinfo
      --oidc-jwks-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/certs
      --oidc-issuer-url=https://$AUTH_SERVER/auth/realms/$REALM
      --http-address=0.0.0.0:5000
      --cookie-secret="$COOKIE_SECRET"
      --cookie-secure="false"
      --email-domain=*
      --upstream=http://wgui:5000/
      --redirect-url=http://localhost:5000/oauth2/callback
      --reverse-proxy="false"
      --scope="openid email profile"
      --pass-user-headers="true"
      --pass-access-token="true"
      --pass-authorization-header="true"
      --set-authorization-header="true"
      --set-xauthrequest="true"
    hostname: oauth2-proxy
    ports:
      - 5000:5000/tcp