services:
  socketproxy:
    image: tecnativa/docker-socket-proxy
    networks:
      - socketproxy
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
    {% for key, value in socketproxy_env.items() %}
      {{ key }}: {{ value }}
    {% endfor %}
    deploy:
      endpoint_mode: dnsrr
      placement:
        constraints:
          - node.role == manager
      update_config:
        order: start-first
        failure_action: rollback
        delay: 0s
        parallelism: 1
      restart_policy:
        condition: on-failure

  traefik:
    image: traefik:v2
    command:
      - "--providers.docker.endpoint=http://socketproxy_socketproxy:2375"
      - "--log.level=ERROR"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.network=traefik"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencryptresolver.acme.email=admin@nixc.us"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
      - "--api.dashboard=true"
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    volumes:
      - /mnt/tank/persist/{{ hostname }}/traefik/production/config:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
      - socketproxy
    deploy:
      placement:
        constraints:
          - node.hostname == {{ hostname }}
      labels:
        homepage.group: Infrastructure
        homepage.name: Ingress
        homepage.href: https://{{ url }}/
        homepage.description:
        us.nixc.autodeploy: "true"
        traefik.enable: "true"
        traefik.docker.network: traefik
        traefik.http.routers.traefik_traefik-http.tls: "true"
        traefik.http.routers.traefik_traefik-http.rule: "Host(`{{ url }}`)"
        traefik.http.routers.traefik_traefik-http.entrypoints: "websecure"
        traefik.http.routers.traefik_traefik-http.tls.certresolver: "letsencryptresolver"
        traefik.http.routers.traefik_traefik-http.service: "api@internal"
        traefik.http.services.traefik_traefik-http.loadbalancer.server.port: "888"


networks:
  socketproxy:
    external: true
  traefik:
    external: true