---
services:
  array-qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    network_mode: "service:array-gluetun"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
    volumes:
      - qbittorrent-config:/config
      - /mnt/osirisbox:/data
    depends_on:
      array-gluetun:
        condition: service_healthy
    healthcheck:
      # Checks if the WebUI is responding on the default port 8080
      test: ["CMD", "curl", "-f", "http://localhost:8080/"]
      interval: 1m
      timeout: 10s
      retries: 3
      start_period: 1m

  array-gluetun:
    image: qmcgaw/gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    environment:
      - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
    volumes:
      - gluetun:/gluetun
      - gluetun_port:/tmp/gluetun
    networks:
      - array
    labels:
      - "traefik.enable=true"
      # Define a custom service pointing to port 8080 (qBittorrent WebUI)
      - "traefik.http.services.gluetun-svc.loadbalancer.server.port=8080"

      # --- SECURE ROUTER (HTTPS) ---
      # 1. Match the domain
      - "traefik.http.routers.gluetun-secure.rule=Host(`qbittorrent.karmacoma.dev`)"
      # 2. Use HTTPS entrypoint
      - "traefik.http.routers.gluetun-secure.entrypoints=https"
      # 3. Enable TLS (SSL) using LetsEncrypt
      - "traefik.http.routers.gluetun-secure.tls=true"
      - "traefik.http.routers.gluetun-secure.tls.certresolver=letsencrypt"
      # 4. Apply the Authentik Middleware (Check the name matches your dynamic config)
      - "traefik.http.routers.gluetun-secure.middlewares=authentik-auth@file"
      # 5. Point to the service we defined above
      - "traefik.http.routers.gluetun-secure.service=gluetun-svc"
      # 6. PRIORITY: This is the fix. Higher number wins over Coolify defaults.
      - "traefik.http.routers.gluetun-secure.priority=100"

      # --- OPTIONAL: HTTP REDIRECT (Standard Coolify behavior) ---
      - "traefik.http.routers.gluetun-http.rule=Host(`qbittorrent.karmacoma.dev`)"
      - "traefik.http.routers.gluetun-http.entrypoints=http"
      - "traefik.http.routers.gluetun-http.middlewares=redirect-to-https"
      - "traefik.http.routers.gluetun-http.priority=100"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

  array-qbt-gt-portmapping:
    image: patrickaclark/gluetun-qbittorrent-port-manager:latest
    restart: unless-stopped
    container_name: array-qbt-gt-portmapping
    network_mode: "service:array-gluetun"
    volumes:
      - gluetun_port:/tmp/gluetun
    environment:
      - QBITTORRENT_SERVER=localhost  # IP Address of qbittorrent
      - QBITTORRENT_PORT=8080
      - PORT_FORWARDED=/tmp/gluetun/forwarded_port
      - HTTP_S=http  # Select 'http' or 'https' depending on if you use certificates.
      - GLUETUN_HOST=localhost  # IP or FQDN of gluetun control server
      - GLUETUN_PORT=8000  # port of gluetun control server
      - RECHECK_TIME=60  # number of seconds between checks to gluetun server for port
      - TZ=Europe/Berlin
    healthcheck:
      test: ["CMD", "curl", "-H", "Authorization: $controlServerAuthKey", "-s", "http://localhost:8000/v1/openvpn/status", "|", "grep", "-q", '{"status":"running"}']
      interval: 30s
      timeout: 10s
      start_period: 60s
      retries: 3

volumes:
  gluetun_port:

networks:
  array:
    external: true