name: Bootstrap

services:
  # TODO: Authenticate the services that can talk to docker
  docker:
    image: alpine/socat
    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
    networks:
      - docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  # TODO: Sort out authentication method for all services (SSO). Authelia?
  traefik:
    image: traefik
    networks:
      - traefik
      - docker
      - macvlan
    environment:
      - NASCOMPOSE_DOMAIN=${NASCOMPOSE_DOMAIN?}
    # TODO: Move to configs?
    volumes:
      - traefik_dynamic_config:/etc/traefik/dynamic/:ro
    configs:
      - source: traefik_config
        target: /etc/traefik/traefik.yml
    secrets:
      - traefik_password # TODO: Replace with SSO
      - traefik_tls_cert
      - traefik_tls_key
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  portainer:
    image: portainer/portainer-ce
    command: >
      --host tcp://docker:2375
      --hide-label nas-compose.boostrap=true
      --admin-password-file /run/secrets/portainer_password
    networks:
      - docker
      - traefik
    volumes:
      - portainer_data:/data/
    secrets:
      - portainer_password
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true
      traefik.enable: true
      traefik.http.services.portainer.loadbalancer.server.port: 9443
      traefik.http.services.portainer.loadbalancer.server.scheme: https

networks:
  docker:
    name: docker
    labels:
      nas-compose.boostrap: true
  traefik:
    name: traefik
    labels:
      nas-compose.boostrap: true
  macvlan:
    name: macvlan
    labels:
      nas-compose.boostrap: true

volumes:
  portainer_data:
    driver_opts:
      type: none
      o: bind
      device: ${NASCOMPOSE_SERVICES?}/portainer/volumes/data/
    labels:
      nas-compose.boostrap: true
  traefik_dynamic_config:
    driver_opts:
      type: none
      o: bind
      device: ${NASCOMPOSE_SERVICES?}/traefik/volumes/config/
    labels:
      nas-compose.boostrap: true

configs:
  traefik_config:
    file: ${NASCOMPOSE_SERVICES?}/traefik/configs/traefik.yml

secrets:
  traefik_password:
    file: ${NASCOMPOSE_SERVICES?}/traefik/secrets/htpasswd
  traefik_tls_cert:
    file: ${NASCOMPOSE_SERVICES?}/traefik/secrets/traefik.cert
  traefik_tls_key:
    file: ${NASCOMPOSE_SERVICES?}/traefik/secrets/traefik.key
  portainer_password:
    file: ${NASCOMPOSE_SERVICES?}/portainer/secrets/portainer_password