version: '3'

services:
  traefik:
    image: traefik:v2.0.0
    command:
      - --api.insecure=false # set to 'false' on production
      - --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
      - --api.debug=true # enable additional endpoints for debugging and profiling
      - --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik-public
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencryptresolver.acme.email=user@yourdomain.com
      - --certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
    volumes:
      # To persist certificates
      - traefik-certificates:/letsencrypt
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        # Dashboard
        - traefik.http.routers.traefik.rule=Host(`proxy.yourdomain.com`)
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.tls.certresolver=letsencryptresolver
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.middlewares=authtraefik
        # user/password (https://www.web2generators.com/apache-tools/htpasswd-generator)
        # comma-separated users
        - traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/
        
        # global redirect to https
        - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
        - traefik.http.routers.http-catchall.entrypoints=web
        - traefik.http.routers.http-catchall.middlewares=redirect-to-https
  
        # middleware redirect
        - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
      placement:
        constraints:
          - node.role == manager

  backend:
    image: cauen/cauenode_backend
    networks:
      - traefik-public
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == worker
      labels:
        - traefik.enable=true
        # securing
        - traefik.http.routers.backend-secure.rule=Host(`yourdomain.com`)
        - traefik.http.routers.backend-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.backend-secure.tls=true
        - traefik.http.routers.backend-secure.entrypoints=websecure
        # Service port
        - traefik.http.services.backend.loadbalancer.server.port=1234

  agent:
    image: portainer/agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
      - traefik-public
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  helloworld:
    image: tutum/hello-world:latest
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.helloworld-web-secure.rule=Host(`tutum.yourdomain.com`)
        - traefik.http.routers.helloworld-web-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.helloworld-web-secure.tls=true
        - traefik.http.routers.helloworld-web-secure.entrypoints=websecure
        # if you have multiple ports exposed on the service, specify port in the web-secure service
        - traefik.http.services.helloworld-web-secure.loadbalancer.server.port=80

  portainer:
    image: portainer/portainer
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "8000:8000"
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
      - traefik-public
    deploy:
      mode: replicated
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.http.routers.portainer-web-secure.rule=Host(`portainer.yourdomain.com`)
        - traefik.http.routers.portainer-web-secure.tls.certresolver=letsencryptresolver
        - traefik.http.routers.portainer-web-secure.tls=true
        - traefik.http.routers.portainer-web-secure.entrypoints=websecure
        # if you have multiple ports exposed on the service, specify port in the web-secure service
        - traefik.http.services.portainer-web-secure.loadbalancer.server.port=9000
      replicas: 1
      placement:
        constraints: [node.role == manager]

volumes:
  traefik-certificates:
  portainer_data:

networks:
  traefik-public:
    external: true
  agent_network:
    driver: overlay