services:
# Basis war  https://tansanrao.com/containerised-hosting-management-infra/
# begonnen am 19.05.2024 und erweitert um
# gitea
# weiterleitung mails.herrmann.es
#
  traefik:
#    image: "traefik:v2.2"
    image: "traefik:latest"
    command:
      - "--accesslog=true"
      - "--log.level=DEBUG"
      - "--providers.docker"
      - "--log.filePath=/logs/traefik.log"
    container_name: "traefik"
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${PWD}/traefik.toml:/etc/traefik/traefik.toml"
      - "${PWD}/dynamic.toml:/etc/traefik/dynamic.toml"
      - "traefik_logs:/logs/"
    networks:
      - internal
      - traefik-public

  portainer:
    image: portainer/portainer-ce:latest
    command: -H unix:///var/run/docker.sock
    restart: always
# ports auskommentiert, warum soll portainer außerhalb vom traefik erreichbar sein
#    ports:
#      - 9000:9000
#      - 8000:8000
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.portainer-redirect-websecure.redirectscheme.scheme=https
      - traefik.http.routers.portainer-web.rule=Host(`portainer.herrmann.es`)
      - traefik.http.routers.portainer-web.entrypoints=web
      - traefik.http.routers.portainer-web.middlewares=portainer-redirect-websecure
      - traefik.http.routers.portainer-websecure.entrypoints=websecure
      - traefik.http.routers.portainer-websecure.rule=Host(`portainer.herrmann.es`)
      - traefik.tags= traefik-public
      - traefik.docker.network=traefik-public
      - traefik.http.routers.portainer-websecure.tls=true
      - traefik.http.routers.portainer-websecure.tls.certresolver=myresolver
      - traefik.http.services.portainer-global.loadbalancer.server.port=9000
    networks:
      - internal
      - traefik-public

  webmin-proxy:
    image: qoomon/docker-host
    restart: always
    cap_add: ["NET_ADMIN", "NET_RAW"]
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.webmin-redirect-websecure.redirectscheme.scheme=https
      - traefik.http.routers.webmin-web.rule=Host(`webmin.herrmann.es`)
      - traefik.http.routers.webmin-web.entrypoints=web
      - traefik.http.routers.webmin-web.middlewares=webmin-redirect-websecure
      - traefik.http.routers.webmin-websecure.entrypoints=websecure
      - traefik.http.routers.webmin-websecure.rule=Host(`webmin.herrmann.es`)
      - traefik.tags= traefik-public
      - traefik.docker.network=traefik-public
      - traefik.http.routers.webmin-websecure.tls=true
      - traefik.http.routers.webmin-websecure.tls.certresolver=myresolver
      - traefik.http.services.webmin-global.loadbalancer.server.port=10000
    networks:
      - internal
      - traefik-public
    environment:
      - PORTS=10010,10011
#der zweite Port ist zum Testen und als Anzeige wie man zukünftig Erweiterungen macht
  gitea:
    image: gitea/gitea:1.21.11
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.gitea-redirect-websecure.redirectscheme.scheme=https
      - traefik.http.routers.gitea-web.rule=Host(`gitea.herrmann.es`)
      - traefik.http.routers.gitea-web.entrypoints=web
      - traefik.http.routers.gitea-web.middlewares=webmin-redirect-websecure
      - traefik.http.routers.gitea-websecure.entrypoints=websecure
      - traefik.http.routers.gitea-websecure.rule=Host(`gitea.herrmann.es`)
      - traefik.tags= traefik-public
      - traefik.docker.network=traefik-public
      - traefik.http.routers.gitea-websecure.tls=true
      - traefik.http.routers.gitea-websecure.tls.certresolver=myresolver
      - traefik.http.services.gitea-global.loadbalancer.server.port=3000
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - internal
      - traefik-public

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - traefik-public
      - internal
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`mails.herrmann.es`) || Host(`www.mails.herrmann.es`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

# - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^http(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https:mailneu.herrmann.es/SOGo
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

volumes:
  letsencrypt:
  portainer_data:
  gitea_data:
  traefik_logs:
networks:
# das Netzwerk traefik-public muss extern true haben, es wird nicht von dem Dockerfile hier erstellt
# Es haben alle container Zugriff darauf.
  traefik-public:
    name: traefik-public
    external: true
  internal:
    name: internal
    external: false