{{ ansible_managed | comment }}

# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
# Copyright (C) 2020       Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

version: '2'
services:
  dockersocket:
    image: quay.io/sheogorath/docker-socket-proxy:{{ traefik_dockersocketproxy_version }}
    mem_limit: 16mb
    memswap_limit: 32mb
    security_opt:
      - "label:disable"
    read_only: true
    tmpfs:
      - /run/:size=32K
    environment:
      - "CONTAINERS=1"
      - "LOG_LEVEL=notice"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      socket:
    restart: always

{% if traefik_tor_enabled %}
  tor:
    image: quay.io/sheogorath/tor:{{ traefik_tor_version }}
    mem_limit: 32mb
    memswap_limit: 64mb
    read_only: true
    depends_on:
      - proxy
    security_opt:
      - no-new-privileges
{% if traefik_tor_selinux_level != omit %}
      - label=level:{{ traefik_tor_selinux_level }}
{% endif %}

    tmpfs:
      - /var/lib/tor/.tor:size=10M,uid=994,gid=994,mode=1700
    volumes:
      - "{{ traefik_tor_data_location }}:/data"
      - "{{ traefik_tor_config_location }}:/etc/torrc.d/:ro"
    networks:
      tor_internal:
      tor_external:
    restart: always
{% endif %}

  proxy:
    image: docker.io/library/traefik:{{ traefik_version }}
    cpu_shares: 3072
    mem_limit: 256mb
    memswap_limit: 512mb
    read_only: true
    restart: always
    labels:
      - "traefik.enable=true"
{% if traefik_https_redirect_all %}
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=web"
      - "traefik.http.routers.http_catchall.middlewares=https_redirect"
{% endif %}
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.compress.compress=true"
{% if traefik_dashboard_auth is defined %}
      - "traefik.http.routers.api.rule=Host(`{{ traefik_dashboard_domain }}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=traefikauth"
      - "traefik.http.middlewares.traefikauth.basicauth.users={{ traefik_dashboard_auth }}"
{% endif %}
    depends_on:
      - dockersocket
{% if traefik_selinux_level != omit %}
    security_opt:
      - label=level:{{ traefik_selinux_level }}
{% endif %}

    ports:
      - "80:80"
      - "443:443"

    volumes:
      - "{{ traefik_acme_location }}:/etc/traefik/acme"
{% if traefik_dynamic_conf != omit %}
      - "{{ traefik_config_location }}:/etc/traefik/dynamic_conf:ro"
{% endif %}

    command:
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--accesslog={{ traefik_access_log_enabled | bool | lower }}"
{% if traefik_dynamic_conf != omit %}
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
{% endif %}
      - "--providers.docker=true"
      - "--providers.docker.endpoint=tcp://dockersocket:2375"
      - "--providers.docker.exposedByDefault=false"
{% if traefik_https_letsencrypt_enabled %}
      - "--certificatesResolvers.letsencrypt_http.acme.email={{ traefik_letsencrypt_email }}"
      - "--certificatesResolvers.letsencrypt_http.acme.storage=/etc/traefik/acme/acme.json"
      - "--certificatesResolvers.letsencrypt_http.acme.httpChallenge.entrypoint=web"
{% endif %}
{% if traefik_debug %}
      - "--log.level=DEBUG"
{% endif %}

    networks:
      {{ proxy_network }}:
{% if traefik_aliases is defined %}
        aliases:
{% for alias in traefik_aliases %}
          - "{{ alias }}"
{% endfor %}
{% endif %}
      socket:
{% if traefik_tor_enabled %}
      tor_internal:
{% endif %}
{% if traefik_ipv6.enabled %}
      {{ traefik_ipv6.name }}:
{% if traefik_ipv6.ip_addr != omit %}
        ipv6_address: {{ traefik_ipv6.ip_addr | ipaddr('address') }}
{% endif %}
{% endif %}

{% if traefik_options | length > 0 %}
    environment:
{% for key, value in traefik_options.items() %}
      - "{{ key }}={{ value }}"
{% endfor %}
{% endif %}

{% if traefik_acmedumper_enabled %}
  acme-dumper:
    image: docker.io/ldez/traefik-certs-dumper:{{ traefik_acmedumper_image_version }}
    read_only: true
    mem_limit: 64mb
    memswap_limit: 128mb
    network_mode: none
    security_opt:
      - no-new-privileges
{% if traefik_selinux_level != omit %}
      - label=level:{{ traefik_selinux_level }}
{% endif %}
    cap_drop:
      - all

    volumes:
      - "{{ traefik_acme_location }}:/etc/traefik/acme:ro"
      - "{{ traefik_acmedumper_location }}:/export"
    command:
      - "file"
      - "--domain-subdir"
      - "--crt-ext=.pem"
      - "--key-ext=.pem"
      - "--crt-name=fullchain"
      - "--key-name=privkey"
      - "--source=/etc/traefik/acme/acme-v2.json"
      - "--dest=/export"
      - "--version=v2"
      - "--watch"
{% endif %}

networks:
  {{ proxy_network }}:
    external: true
  socket:
    internal: true
{% if traefik_tor_enabled %}
  tor_internal:
    internal: true
  tor_external:
{% endif %}
{% if traefik_ipv6.enabled %}
  {{ traefik_ipv6.name }}:
    external: true
{% endif %}