volumes:
  ssl-data:
    name: ssl
  wireguard-data:
    name: wireguard
  portainer_data:
    name: portainer

networks:
  # Specific network for reverse proxy communication
  rproxy-network:
    name: rproxy
    # We suppose the proxy is already running
    external: false

services:
  # --------------------------------
  #     Auto backup through S3
  # --------------------------------
  backup:
    container_name: backup
    image: offen/docker-volume-backup
    restart: unless-stopped
    environment:
      AWS_S3_BUCKET_NAME: ${AWS}
      AWS_ENDPOINT: ${ENDPOINT}
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
      BACKUP_CRON_EXPRESSION: "0 0 * * *"
      BACKUP_RETENTION_DAYS: 3
    volumes:
      # Mounting docker socket to stop/pause containers
      # to prevent volume corruption.
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Include container volumes in the backup process.
      - wireguard-data:/backup/wireguard:ro
      - ./synapse:/backup/synapse:ro
      - ssl-data:/backup/ssl:ro
      # Local directory for backup archives.
      - ./backup:/archive

  # --------------------------------
  #          Reverse Proxy
  # --------------------------------
  nginx-proxy:
    image: nginxproxy/nginx-proxy:alpine
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # Grant access to Docker socket enables automated
      # proxy configuration based on container events.
      - /var/run/docker.sock:/tmp/docker.sock:ro
      # Grant access to certification volume allow to
      # nginx to read and send SSL keys for security.
      - ssl-data:/etc/nginx/certs
      - ./nginx/default_html:/usr/share/nginx/html
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./nginx/vhost.d:/etc/nginx/vhost.d
    labels:
      - "docker-volume-backup.stop-during-backup=true"
    networks:
      - rproxy-network

  # --------------------------------
  #   ACME Companion for SSL certs
  # --------------------------------
  acme-companion:
    image: nginxproxy/acme-companion
    container_name: acme-companion
    restart: unless-stopped
    environment:
      - DEFAULT_EMAIL=${EMAIL}
      - NGINX_PROXY_CONTAINER=nginx-proxy
    volumes:
      # Grant access to Docker socket enables automated
      # SSL certificate issuance.
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Store SSL certifications into ssl-data volume.
      - ssl-data:/etc/nginx/certs
      # Required for ACME HTTP-01 challenges and domain validation.
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      # Shared web root for serving ACME challenge files.
      - ./nginx/default_html:/usr/share/nginx/html
      # Prevent from recreate a Let's encrypt account 
      # each restart.
      - ./nginx/acme_config:/etc/acme.sh
    labels:
      - "docker-volume-backup.stop-during-backup=true"
    networks:
      - rproxy-network
    depends_on:
      - nginx-proxy

  # web:
  #   container_name: web
  #   build: ./guezoloic/website # using guezoloic website repo
  #   restart: unless-stopped
  #   environment:
  #     - VIRTUAL_HOST=${HOSTNAME}, www.${HOSTNAME}
  #     - LETSENCRYPT_HOST=${HOSTNAME}, www.${HOSTNAME}
  #     - LETSENCRYPT_EMAIL=${EMAIL}
  #   volumes:
  #     - ./data:/usr/share/nginx/html/data
  #   networks:
  #     - rproxy-network
  #   depends_on:
  #     - nginx-proxy

  portainer:
    container_name: portainer
    image: portainer/portainer-ce:lts
    restart: unless-stopped
    environment:
      - VIRTUAL_HOST=monitor.${HOSTNAME}
      - LETSENCRYPT_HOST=monitor.${HOSTNAME}
      - LETSENCRYPT_EMAIL=${EMAIL}
      - VIRTUAL_PORT=9443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    ports:
      - 9443:9443
      # - 8000:8000

  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1
    environment:
      - TZ=Europe/Paris
      - VIRTUAL_HOST=vpn.${HOSTNAME}
      - LETSENCRYPT_HOST=vpn.${HOSTNAME}
      - LETSENCRYPT_EMAIL=${EMAIL}
      - VIRTUAL_PORT=51821
    networks:
      - proxy-network
      - vpn-network
    volumes:
      - wireguard-volume:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
    labels:
      - "docker-volume-backup.stop-during-backup=true"
    depends_on:
      - nginx-proxy

  synapse:
    # private chat server (useful for notifications)
    image: matrixdotorg/synapse:latest
    container_name: synapse
    restart: unless-stopped
    volumes:
      - ./synapse:/data
    environment:
      - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
      - VIRTUAL_HOST=msg.${HOSTNAME}
      - LETSENCRYPT_HOST=msg.${HOSTNAME}
      - LETSENCRYPT_EMAIL=${EMAIL}
      - VIRTUAL_PORT=8008
    expose:
      - "8008"
    networks:
      - rproxy-network
    depends_on:
      - nginx-proxy