networks:
  proxy:
    external: false
    name: proxy
    enable_ipv6: true

volumes:
  letsencrypt:
    name: letsencrypt
  portainer:
    name: portainer
  traefik_log:
    name: traefik_log
  crowdsec_data:
    name: crowdsec_data
  crowdsec_etc:
    name: crowdsec_etc

services:
  traefik:
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command:
      - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      - --experimental.plugins.bouncer.version=v1.5.0
      - --global.sendAnonymousUsage=false
      - --api.dashboard=true
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.web.forwardedHeaders.insecure=true
      - --entryPoints.websecure.address=:443
      - --entryPoints.websecure.http3.advertisedPort=443
      - --entryPoints.websecure.forwardedHeaders.insecure=true
      - --entryPoints.ssh.address=:222/tcp
      - --entryPoints.smtp.address=:25
      - --entryPoints.smtp-ssl.address=:465
      - --entryPoints.imap-ssl.address=:993
      - --entryPoints.sieve.address=:4190
      - --certificatesresolvers.cs.acme.tlschallenge=true
      - --certificatesresolvers.cs.acme.email=christiansteinle@arcor.de
      - --certificatesresolvers.cs.acme.storage=/letsencrypt/acme.json
      - --log=true
      - --log.level=INFO
      - --accessLog=true
      - --accessLog.filePath=/logs/traefik.log
      - --accessLog.format=json
      - --accessLog.bufferingSize=0
      - --accessLog.fields.headers.defaultMode=drop
      - --accessLog.fields.headers.names.User-Agent=keep
      - --metrics.prometheus=true
      - --metrics.prometheus.manualRouting=true
      - --metrics.prometheus.addRoutersLabels=true
    environment:
      - INFOMANIAK_ACCESS_TOKEN=5IraYq8HK9qur57Mj_TnHQ9pS9G79NPvjF8ID17n-EvfYO7TU6Fi0ZmDKSX6mIhTQJbyYegRd1hfmM-t
    ports:
      - "25:25"
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: udp
        mode: host
      - "465:465"
      - "993:993"
      - "4190:4190"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      - traefik_log:/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.steinle-computer.de`)"
      - "traefik.http.routers.traefik.middlewares=traefik"
      - "traefik.http.middlewares.traefik.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.steinle-computer.de`)"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cs"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=chris:$$apr1$$xe634m7n$$gpkZ11O7CrbiWAhsWKNlO1"
      - "traefik.http.services.traefik-secure.loadbalancer.server.port=8080"
      - "traefik.http.routers.metrics.entrypoints=web"
      - "traefik.http.routers.metrics.rule=Host(`traefik.steinle-computer.de`) && PathPrefix(`/metrics`)"
      - "traefik.http.routers.metrics.middlewares=traefik"
      - "traefik.http.routers.metrics-secure.entrypoints=websecure"
      - "traefik.http.routers.metrics-secure.rule=Host(`traefik.steinle-computer.de`) && PathPrefix(`/metrics`)"
      - "traefik.http.routers.metrics-secure.tls.certresolver=cs"
      - "traefik.http.routers.metrics-secure.middlewares=auth"
      - "traefik.http.routers.metrics-secure.service=prometheus@internal"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.defaultDecisionSeconds=60"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=live"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecEnabled=false"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecFailureBlock=true"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecUnreachableBlock=true"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiKey=Q6aU8YIY5zr2c/gNg9WTvm2PPMu+jyEhVKIftcZSBSE"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiHost=crowdsec:8080"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiScheme=http"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSInsecureVerify=false"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedHeadersTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.clientTrustedIPs=91.108.113.212,192.168.0.0/16,172.17.0.0/16"
    networks:
      - proxy

  portainer:
    image: portainer/portainer-ce:alpine
    container_name: portainer
    command: -H unix:///var/run/docker.sock
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer:/data
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=web"
      - "traefik.http.routers.portainer.rule=Host(`portainer.steinle-computer.de`)"
      - "traefik.http.routers.portainer.middlewares=portainer"
      - "traefik.http.middlewares.portainer.redirectscheme.scheme=https"
      - "traefik.http.routers.portainer-secure.entrypoints=websecure"
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.steinle-computer.de`)"
      - "traefik.http.routers.portainer-secure.middlewares=portainer-secure"
      - "traefik.http.middlewares.portainer-secure.headers.addvaryheader=true"
      - "traefik.http.middlewares.portainer-secure.headers.accesscontrolalloworiginlist=https://homer.fam-steinle.de"
      - "traefik.http.middlewares.portainer-secure.headers.accesscontrolallowheaders=x-api-key"
      - "traefik.http.routers.portainer-secure.tls.certresolver=cs"
      - "traefik.http.services.portainer-secure.loadbalancer.server.port=9000"

  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    restart: unless-stopped
    ports:
      - 127.0.0.1:9876:8080 # port mapping for local firewall bouncers
    expose:
      - 8080 # http api for bouncers
      - 6060 # metrics endpoint for prometheus
      - 7422 # appsec waf endpoint
    volumes:
      # crowdsec container data
      - crowdsec_data:/var/lib/crowdsec/data
      - crowdsec_etc:/etc/crowdsec
      # log bind mounts into crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/syslog:/var/log/syslog:ro
      - traefik_log:/var/log/traefik:ro
    environment:
      - GID=1000
      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/sshd crowdsecurity/linux crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs
      #- CUSTOM_HOSTNAME=my-crowdsec-host123
    networks:
      - proxy