services:
  kanidm:
    image: kanidm/server
    volumes:
      - {{ kanidm_base }}/volumes/data:/data
      - {{ traextor_base }}/volumes/certs/letsencrypt:/certs:ro
    networks:
      - proxy
{% if homelab_build %}
    command:
      - /bin/sh
      - -c
      - |
        [ ! -f "/certs/{{ idm_domain }}.pem" ] && sleep 60
        /sbin/kanidmd server -c /data/server.toml
    healthcheck:
      disable: true
{% endif %}
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.kanidm.tls=true
        - traefik.http.routers.kanidm.tls.certResolver=letsencrypt
        - traefik.http.routers.kanidm.rule=Host(`{{ idm_domain }}`)
        - traefik.http.routers.kanidm.entrypoints=websecure
        - traefik.http.services.kanidm.loadbalancer.server.port=8443
        - traefik.http.services.kanidm.loadbalancer.server.scheme=https

networks:
  proxy:
    external: true