name: Bootstrap

services:
  # TODO: Authenticate the services that can talk to docker
  docker:
    image: alpine/socat
    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
    networks:
      - docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  # TODO: Sort out authentication method for all services (SSO). Authelia?
  traefik:
    image: traefik
    networks:
      - macvlan
      - traefik
      - docker
    ports:
      - 8080:8080
      - 8443:443
    environment:
      - NASCOMPOSE_TRAEFIK_DOMAIN=${NASCOMPOSE_TRAEFIK_DOMAIN?}
      - NASCOMPOSE_MACVLAN_HOST_IP=${NASCOMPOSE_MACVLAN_HOST_IP?}
    configs:
      - source: traefik_static
        target: /etc/traefik/traefik.yml
      - source: traefik_dynamic
        target: /etc/traefik/dynamic/traefik.yml
      - source: traefik_synology
        target: /etc/traefik/dynamic/synology.yml
      - source: traefik_tls
        target: /etc/traefik/dynamic/tls.yml
      - source: traefik_hsts
        target: /etc/traefik/dynamic/hsts.yml
    secrets:
      - traefik_password # TODO: Replace with SSO
      - traefik_tls_cert
      - traefik_tls_key
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  portainer:
    image: portainer/portainer-ce
    command: >
      --host tcp://docker:2375
      --hide-label nas-compose.boostrap=true
      --admin-password-file /run/secrets/portainer_password
    networks:
      - docker
      - traefik
    volumes:
      - portainer_data:/data/
    secrets:
      - portainer_password
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true
      traefik.enable: true
      traefik.http.services.portainer.loadbalancer.server.port: 9443
      traefik.http.services.portainer.loadbalancer.server.scheme: https

networks:
  macvlan:
    name: macvlan
    labels:
      nas-compose.boostrap: true
  docker:
    name: docker
    labels:
      nas-compose.boostrap: true
  traefik:
    name: traefik
    labels:
      nas-compose.boostrap: true

volumes:
  portainer_data:
    driver_opts:
      type: none
      o: bind
      device: ${NASCOMPOSE_SERVICES?}/volumes/portainer/data/
    labels:
      nas-compose.boostrap: true

configs:
  traefik_static:
    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/traefik.yml
  traefik_dynamic:
    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/traefik.yml
  traefik_synology:
    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/synology.yml
  traefik_tls:
    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/tls.yml
  traefik_hsts:
    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/hsts.yml

secrets:
  traefik_password:
    file: ${NASCOMPOSE_SERVICES?}/secrets/traefik/htpasswd
  traefik_tls_cert:
    file: ${NASCOMPOSE_SERVICES?}/secrets/traefik/traefik.cert
  traefik_tls_key:
    file: ${NASCOMPOSE_SERVICES?}/secrets/traefik/traefik.key
  portainer_password:
    file: ${NASCOMPOSE_SERVICES?}/secrets/portainer/portainer_password