services:
  nginx-proxy:
    image: nginx:alpine
    container_name: nginx-proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      # Папки для SSL сертификатов
      - ./ssl/conf:/etc/letsencrypt:ro
      - ./ssl/www:/var/www/certbot:ro
      # Логи для канали CrowdSec
      - ./nginx/logs:/var/log/nginx
    # Подхватываем новые ssl сертификаты
    command: /bin/sh -c "while :; do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g 'daemon off;'"
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
        reservations:
          memory: 64M
    networks:
      - proxy_network
      - gitea_network
      - cloud_network
      - matrix_network

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: always
    environment:
      # Какие коллекции правил установить сразу
      COLLECTIONS: "crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
      # Чтобы не захламлять вывод, можно включить только ошибки
      # LEVEL_TRACE: "false"
    volumes:
      # Читаем логи Nginx
      - ./nginx/logs:/var/log/nginx:ro
      # Конфигурация и база данных
      - ./crowdsec/config:/etc/crowdsec
      - ./crowdsec/data:/var/lib/crowdsec/data
    ports:
      - 8081:8080
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M

  dashboard:
    image: crowdsecurity/dashboard
    container_name: crowdsec-dashboard
    restart: always
    environment:
      - MB_DB_FILE=/data/metabase.db
    volumes:
      - ./crowdsec/data:/data
    ports:
      - 3001:3000

  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes:
      - ./ssl/conf:/etc/letsencrypt
      - ./ssl/www:/var/www/certbot
    # Проверяет сертификаты дважды в сутки. Если осталось менее 30 дней - обновляем
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; sleep 30s & wait $${!}; do certbot renew; sleep 12h & wait $${!}; done;'"
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
        reservations:
          memory: 64M
    networks:
      - proxy_network

  ddns:
    build: ./ddns
    container_name: ddns
    restart: always
    command: ["${REGRU_LOGIN:?}", "${REGRU_PASSWORD:?}"]
    volumes:
      - ./ddns/domains.txt:/app/domains.txt
    environment:
      - TZ=Europe/Samara
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
        reservations:
          memory: 64M
    networks:
      - proxy_network

networks:
  proxy_network:
    name: proxy_network
    driver: bridge
  gitea_network:
    external: true
    name: gitea_network
  cloud_network:
    external: true
    name: cloud_network
  matrix_network:
    external: true
    name: matrix_network