version: "3.8"

networks:
  traefik:
    external: true
  portainer:
    driver: overlay

volumes:
  portainer_agent_data:
    driver: local
  portainer_data:
    driver: local

services:
  portainer:
    image: git.nixc.us/nixius/portainer:production-portainer
    command: -H tcp://tasks.portainer_agent:9001 --tlsskipverify
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
      - /etc/localtime:/etc/localtime:ro
    deploy:
      placement:
        constraints:
          - node.role == manager  # Ensures Portainer runs on a manager node
      replicas: 1
      labels:
        traefik.enable: "true"
        traefik.http.routers.portainer.rule: Host(`portainer.nixc.us`)
        traefik.http.routers.portainer.entrypoints: websecure
        traefik.http.routers.portainer.service: portainer
        traefik.http.routers.portainer.tls: "true"
        traefik.http.routers.portainer.tls.certresolver: letsencryptresolver
        traefik.http.services.portainer.loadbalancer.server.port: 9000
        traefik.docker.network: traefik
        traefik.http.routers.portainer.middlewares: authelia_authelia@docker
    networks:
      - traefik
      - portainer

  portainer_agent:
    image: git.nixc.us/nixius/portainer:production-agent
    environment:
      - EDGE=1
      - EDGE_ID={{.Node.Hostname}}
      - EDGE_KEY=${PORTAINER_EDGE_KEY}
      - EDGE_INSECURE_POLL=1
      - AGENT_CLUSTER_ADDR=tasks.portainer_agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_agent_data:/data
    deploy:
      mode: global
      placement:
        constraints:
          - node.platform.os == linux  # Runs on Linux nodes only
      labels:
        - "traefik.enable=false"
    networks:
      - portainer