---
services:
  array-qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    network_mode: "service:array-gluetun"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
    volumes:
      - qbittorrent-config:/config
      - /mnt/osirisbox:/data
      - qbittorrent-incomplete:/incomplete
    depends_on:
      array-gluetun:
        condition: service_healthy
    healthcheck:
      # Checks if the WebUI is responding on the default port 8080
      test: ["CMD", "curl", "-f", "http://localhost:8080/"]
      interval: 1m
      timeout: 10s
      retries: 3
      start_period: 1m

  array-gluetun:
    image: qmcgaw/gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    environment:
      - VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1' VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
    volumes:
      - gluetun:/gluetun
    networks:
      - array
    labels:
      - "traefik.enable=true"
      # Define a custom service pointing to port 8080 (qBittorrent WebUI)
      - "traefik.http.services.gluetun-svc.loadbalancer.server.port=8080"

      # --- SECURE ROUTER (HTTPS) ---
      # 1. Match the domain
      - "traefik.http.routers.gluetun-secure.rule=Host(`qbittorrent.karmacoma.dev`)"
      # 2. Use HTTPS entrypoint
      - "traefik.http.routers.gluetun-secure.entrypoints=https"
      # 3. Enable TLS (SSL) using LetsEncrypt
      - "traefik.http.routers.gluetun-secure.tls=true"
      - "traefik.http.routers.gluetun-secure.tls.certresolver=letsencrypt"
      # 4. Apply the Authentik Middleware (Check the name matches your dynamic config)
      - "traefik.http.routers.gluetun-secure.middlewares=authentik-auth@file"
      # 5. Point to the service we defined above
      - "traefik.http.routers.gluetun-secure.service=gluetun-svc"
      # 6. PRIORITY: This is the fix. Higher number wins over Coolify defaults.
      - "traefik.http.routers.gluetun-secure.priority=100"

      # --- OPTIONAL: HTTP REDIRECT (Standard Coolify behavior) ---
      - "traefik.http.routers.gluetun-http.rule=Host(`qbittorrent.karmacoma.dev`)"
      - "traefik.http.routers.gluetun-http.entrypoints=http"
      - "traefik.http.routers.gluetun-http.middlewares=redirect-to-https"
      - "traefik.http.routers.gluetun-http.priority=100"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

networks:
  array:
    external: true