name: Bootstrap

services:
  docker:
    image: alpine/socat
    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
    networks:
      - docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  traefik:
    image: traefik
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - traefik
      - docker
    configs:
      - source: traefik
        target: /etc/traefik/
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true

  portainer:
    image: portainer/portainer-ce
    command: >
      --host tcp://docker:2375
      --hide-label nas-compose.boostrap=true
      --admin-password-file /var/run/secrets/portainer_password
    networks:
      - docker
      - traefik
    volumes:
      - portainer:/data
    secrets:
      - portainer_password
    depends_on:
      - docker
    restart: unless-stopped
    labels:
      nas-compose.boostrap: true
      traefik.enable: true
      traefik.http.routers.portainer.rule: HostRegexp(`portainer{subdomain:(\.[a-z0-9-]+)?}.dedicated.contact`)
      traefik.http.services.portainer.loadbalancer.server.port: 9443
      traefik.http.services.portainer.loadbalancer.server.scheme: https

networks:
  docker:
    name: docker
    labels:
      nas-compose.boostrap: true
  traefik:
    name: traefik
    labels:
      nas-compose.boostrap: true

volumes:
  portainer:
    driver_opts:
      type: none
      o: bind
      device: ${MOUNT_DIR?}/portainer/data/
    labels:
      nas-compose.boostrap: true

configs:
  traefik:
    file: ${MOUNT_DIR?}/traefik/config/

secrets:
  portainer_password:
    file: ${MOUNT_DIR?}/portainer/secrets/portainer_password