services:
  kanidm:
    image: kanidm/server:latest
    volumes:
      - {{ kanidm_base }}/volumes/data:/data
      - {{ letsencrypt_certs }}:/certs:ro
    ports:
      - 3636:3636
    networks:
      - proxy
{% if homelab_build %}
    command:
      - /bin/sh
      - -c
      - |
        [ ! -f "/certs/{{ idm_domain }}.pem" ] && sleep 60
        /sbin/kanidmd server -c /data/server.toml
    healthcheck:
      disable: true
{% endif %}
    environment:
      - TZ={{ timezone }}
      - DEPLOYMENT_TIME={{ deployment_time }}
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        order: start-first
        failure_action: rollback
        monitor: 5s
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.kanidm.tls=true
        - traefik.http.routers.kanidm.tls.certResolver=letsencrypt
        - traefik.http.routers.kanidm.rule=Host(`{{ idm_domain }}`)
        - traefik.http.routers.kanidm.entrypoints=websecure
        - traefik.http.services.kanidm.loadbalancer.server.port=8443
        - traefik.http.services.kanidm.loadbalancer.server.scheme=https

networks:
  proxy:
    external: true