version: "3.3"

services:

  #  Route via Traefik
  router-traefik:
    image: "traefik:v2.10"
    env_file:
      - .env
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.wireguard.address=:51820"
      - "--certificatesresolvers.exitNode.acme.tlschallenge=true"
      - "--certificatesresolvers.exitNode.acme.email=devops@lt.hn"
      - "--certificatesresolvers.exitNode.acme.storage=/letsencrypt/acme.json"
      - "--experimental.plugins.ldapAuth.modulename=github.com/wiltonsr/ldapAuth"
      - "--experimental.plugins.ldapAuth.version=v0.0.22"
    ports:
      - "443:443"
      - "80:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  #  Wireguard VPN
  vpn-wireguard:
    image: linuxserver/wireguard:latest
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    env_file:
      - .env
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=$NODE_HOSTNAME #optional
      - SERVERPORT=51820 #optional
      #- PEERS=1 #uncomment if wishing to not set usernames and only set a random number of peers.
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS= #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      - "traefik.enable=true"
      - "traefik.udp.routers.wireguard.rule=HostRegexp(`${SERVER_CNAME_NAMESPACE}`, `{subdomain:[a-z]+}.${SERVER_CNAME_NAMESPACE}`)"
      - "traefik.udp.routers.wireguard.entrypoints=wireguard"
    restart: unless-stopped