version: '3.8'

services:
  openvpn:
    cap_add:
      - NET_ADMIN
    image: kylemanna/openvpn
    networks:
      - public
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        delay: 5s
        order: start-first
        failure_action: rollback
      rollback_config:
        order: start-first
      placement:
        constraints:
          - node.role == manager
    ports:
      - "1194:1194/udp"
      - "1194:1194"
    volumes:
      - openvpn:/etc/openvpn


  #-p 127.0.0.1:2375:2375
  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy
    environment:
      - SERVICES=1
      - NETWORKS=1
      - TASKS=1
    cap_add:
      - NET_ADMIN
    networks:
      - local
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    deploy:
      placement:
        constraints:
          - node.role == manager



  traefik:
    image: traefik:v3.3
    environment:
      - TZ=Europe/Berlin
    ports:
      # Listen on port 443, default for HTTPS
      - "8443:443"
      - "8080:80"
    networks:
      - traefik
      - local
    deploy:
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the custom label "traefik.constraint-label=traefik"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik
        # IP white list middleware
        - traefik.http.middlewares.local.ipallowlist.sourcerange=10.0.0.0/12, 192.168.255.0/24, 172.35.0.0/24, 172.30.0.0/16
        - traefik.http.middlewares.local.ipallowlist.ipstrategy.depth=0
        - traefik.http.middlewares.admin-auth.basicauth.usersfile=/run/secrets/traefik-admin-user
        # traefik frontend
        - traefik.http.routers.traefik-https.rule=Host(`traefik.szabolcsi.dev`)
        - traefik.http.routers.traefik-https.entrypoints=https
        - traefik.http.routers.traefik-https.tls=true
        - traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-https.service=api@internal
        - traefik.http.routers.traefik-https.middlewares=admin-auth,local
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.services.traefik.loadbalancer.server.port=8080
        # Prometheus
        - traefik.http.routers.traefik-metrics.rule=(Host(`traefik.szabolcsi.dev`) && PathPrefix(`/metrics`))
        - traefik.http.routers.traefik-metrics.entrypoints=https
        - traefik.http.routers.traefik-metrics.middlewares=local
        - traefik.http.routers.traefik-metrics.service=prometheus@internal
      update_config:
        order: "start-first"
        parallelism: 1
      rollback_config:
        parallelism: 1
        order: "start-first"
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - traefik-certificates:/certificates
      - traefik-config:/etc/traefik/dynamic_conf
      - traefik-letsencrypt:/letsencrypt
      # Mount the volume to store the certificates
    secrets:
      - traefik-admin-user
    command:
      - --providers.swarm.endpoint=tcp://docker-socket-proxy:2375
      - --providers.swarm.exposedByDefault=false
      - --providers.swarm.network=traefik
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik"
      - --providers.swarm.constraints=Label(`traefik.constraint-label`, `traefik`)
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.http.address=:80
      - --entrypoints.http.http.encodequerysemicolons=true
      - --entrypoints.http.http.redirections.entryPoint.to=https
      - --entrypoints.http.http.redirections.entryPoint.scheme=https
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.https.address=:443
      - --entrypoints.https.transport.respondingTimeouts.readTimeout=600s
      - --entrypoints.https.transport.respondingTimeouts.idleTimeout=600s
      - --entrypoints.https.transport.respondingTimeouts.writeTimeout=600s
      - --entryPoints.https.proxyProtocol.trustedIPs=10.0.0.0/24,172.35.0.0/24,192.168.255.0/24,172.30.0.0/16
      - --entrypoints.https.http.encodequerysemicolons=true
      # dynamic config
      - --providers.file.directory=/etc/traefik/dynamic_conf
      - --providers.file.watch=true
      # Enable the access log, with HTTP requests
      - --accesslog
      - --accesslog.fields.names.StartUTC=drop
      # Acme
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=letsencrypt@szabolcsi.eu
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      # Enable Prometheus metrics
      - --entryPoints.metrics.address=:8082
      - --metrics.prometheus=true
      - --metrics.prometheus.addServicesLabels=true
      - --metrics.prometheus.entryPoint=metrics
      - --metrics.prometheus.manualrouting=true
      # Enable the Traefik log, for configurations and errors
      - --log
      - --log.level=WARN
      - --api

#  dns:
#    image: ubuntu/bind9:9.18-22.04_beta
#    environment:
#      - TZ=Europe/Berlin
#    networks:
#      - dns
#    deploy:
#      mode: replicated
#      replicas: 1
#      restart_policy:
#        condition: any
#    ports:
#      - "53:53"
#      - "53:53/udp"
#    volumes:
#      - dns-config:/etc/bind
#      - dns-cache:/var/cache/bind
#      - dns-records:/var/lib/bind




networks:
  public:
    name: base-public
    driver: overlay
    internal: false
    ipam:
      config:
        - subnet: 172.30.4.0/24
  local:
    name: base-network
    driver: overlay
    internal: true
    ipam:
      config:
        - subnet: 172.30.5.0/24
  traefik:
    name: traefik
    external: true


volumes:
  #dns-config:
  #  name: dns-config
  #  driver: local
  #  driver_opts:
  #    type: nfs
  #    device: ":/nfs_share/base/dns/config"
  #    o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  #dns-cache:
  #  name: dns-cache
  #  driver: local
  #  driver_opts:
  #    type: nfs
  #    device: ":/nfs_share/base/dns/cache"
  #    o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  #dns-records:
  #  name: dns-records
  #  driver: local
  #  driver_opts:
  #    type: nfs
  #    device: ":/nfs_share/base/dns/records"
  #    o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  openvpn:
    name: open-vpn
    driver: local
    driver_opts:
      type: nfs
      device: ":/nfs_share/base/open-vpn"
      o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  traefik-certificates:
    name: traefik-certificates
    driver: local
    driver_opts:
      type: nfs
      device: ":/nfs_share/base/traefik/certificates"
      o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  traefik-config:
    name: traefik-config
    driver: local
    driver_opts:
      type: nfs
      device: ":/nfs_share/base/traefik/config"
      o: "addr=10.0.0.3,rw,soft,nfsvers=4"
  traefik-letsencrypt:
    name: traefik-letsencrypt
    driver: local
    driver_opts:
      type: nfs
      device: ":/nfs_share/base/traefik/letsencrypt"
      o: "addr=10.0.0.3,rw,soft,nfsvers=4"

secrets:
  traefik-admin-user:
    name: ${TRAEFIK_USER_SECRET_NAME}
    external: true