---
version: "3.8"

services:
  app:
    image: "traefik:v2.11.14"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "letsencrypt:/etc/letsencrypt"
      - "file-providers:/etc/traefik/file-providers"
    configs:
      - source: traefik_yml
        target: /etc/traefik/traefik.yml
      - source: file_provider_yml
        target: /etc/traefik/file-provider.yml
      - source: entrypoint
        target: /custom-entrypoint.sh
        mode: 0555
    networks:
      - proxy
      - internal
    environment:
      - DASHBOARD_ENABLED
      - LOG_LEVEL
      - LOG_MAX_AGE
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    command: traefik
    entrypoint: /custom-entrypoint.sh
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
        - "coop-cloud.${STACK_NAME}.version=2.9.0+v2.11.14"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"

  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
    environment:
      - ALLOW_START=0
      - ALLOW_STOP=0
      - ALLOW_RESTARTS=0
      - AUTH=0
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1 # Needs access
      - DISABLE_IPV6=0
      - DISTRIBUTION=0
      - EVENTS=1 # Needs access
      - EXEC=0
      - IMAGES=0
      - INFO=0
      - NETWORKS=1 # Needs access
      - NODES=0
      - PING=0
      - POST=0
      - PLUGINS=0
      - SECRETS=0
      - SERVICES=1 # Needs access
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=1 # Needs access
      - VERSION=1 # Needs access
      - VOLUMES=0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - internal

networks:
  proxy:
    external: true
  internal:

configs:
  traefik_yml:
    name: ${STACK_NAME}_traefik_yml_${TRAEFIK_YML_VERSION}
    file: traefik.yml.tmpl
    template_driver: golang
  file_provider_yml:
    name: ${STACK_NAME}_file_provider_yml_${FILE_PROVIDER_YML_VERSION}
    file: file-provider.yml.tmpl
    template_driver: golang
  entrypoint:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang

volumes:
  letsencrypt:
  file-providers: