name: Bootstrap

services:
  # TODO: Authenticate the services that can talk to docker
  docker:
    image: alpine/socat
    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
    networks:
      - docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  portainer:
    image: portainer/portainer-ce
    command: >
      --host tcp://docker:2375
      --hide-label nas-compose.boostrap=true
      --admin-password-file /run/secrets/portainer_password
    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
    networks:
      - docker
    volumes:
      - portainer_data:/data/
    secrets:
      - portainer_password
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

networks:
  macvlan:
    name: macvlan
    labels:
      nas-compose.boostrap: true
  docker:
    name: docker
    labels:
      nas-compose.boostrap: true

volumes:
  portainer_data:
    driver_opts:
      type: none
      o: bind
      device: ${NASCOMPOSE_SERVICES?}/volumes/portainer/data/
    labels:
      nas-compose.boostrap: true

secrets:
  portainer_password:
    file: ${NASCOMPOSE_SERVICES?}/secrets/portainer/portainer_password