networks:
  frontend:
    external: true
  backend:
    external: true

services:
  bookstack-public:
    image: lscr.io/linuxserver/bookstack
    security_opt:
      - apparmor:unconfined
    container_name: bookstack-public
    environment:
      - PUID=1000
      - PGID=1000
      - APP_URL=https://example.domain.com
      - DB_HOST=mariadb
      - DB_PORT=3306
      - DB_USER=bookstack_public
      - DB_PASS=${DB_PASS}
      - DB_DATABASE=bookstack_public
      - AUTH_METHOD=oidc
      - AUTH_AUTO_INITIATE=false
      - OIDC_NAME=SSO
      - OIDC_DISPLAY_NAME_CLAIMS=name
      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OIDC_ISSUER=${OIDC_ISSUER}
      - OIDC_END_SESSION_ENDPOINT=false
      - OIDC_ISSUER_DISCOVER=true
      - OIDC_USER_TO_GROUPS=true
      - OIDC_GROUPS_CLAIM=groups
      - OIDC_ADDITIONAL_SCOPES=groups
      - OIDC_REMOVE_FROM_GROUPS=true
    volumes:
      - /docker/appdata/bookstack-public/config:/config
    labels:
      - traefik.enable=true
      - traefik.http.routers.book.entrypoints=websecure
      - traefik.http.routers.book.rule=Host(`example.domain.com`)
      - traefik.http.routers.book.tls=true
      - traefik.http.routers.book.tls.certresolver=production
      - traefik.http.routers.book.service=book
      - traefik.http.services.book.loadBalancer.server.port=80
    restart: unless-stopped
    networks:
      - frontend
      - backend