services:
  silverbullet:
    image: ghcr.io/silverbulletmd/silverbullet
    restart: unless-stopped
    environment:
      - TZ={{ timezone }}
      - DEPLOYMENT_TIME={{ deployment_time }}
    volumes:
      - "{{ silverbullet_base }}/volumes/data:/space"
    networks:
      - proxy
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        order: start-first
        failure_action: rollback
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.silverbullet.tls=true
        - traefik.http.routers.silverbullet.tls.certResolver=letsencrypt
        - traefik.http.routers.silverbullet.rule=Host(`{{ silverbullet_domain }}`)
        - traefik.http.routers.silverbullet.middlewares=oauth-verify,oauth-notes-users
        - traefik.http.middlewares.oauth-notes-users.forwardAuth.address=http://oauth2-proxy:4180/oauth2/auth?allowed_groups={{ notes_user_group }}
        - traefik.http.routers.silverbullet.entrypoints=websecure
        - traefik.http.services.silverbullet.loadbalancer.server.port=3000

networks:
  proxy:
    external: true