configs:
  caddy-basic-content:
    file: ./Caddyfile
    labels:
      caddy:

services:
  caddy:
    image: ghcr.io/serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy:latest
    ports:
      - 8900:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=netgrimoire
      - CADDY_DOCKER_EVENT_THROTTLE_INTERVAL=2000   # Prevents non-deterministic reload with CrowdSec module
      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
    networks:
      - netgrimoire
      - vpn
      - crowdsec_net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /export/Docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /export/Docker/caddy:/data
      - caddy-logs:/var/log/caddy
    deploy:
      placement:
        constraints:
          - node.hostname == znas

  crowdsec:
    image: crowdsecurity/crowdsec
    restart: unless-stopped
    environment:
      COLLECTIONS: "crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
      BOUNCER_KEY_CADDY: ${CROWDSEC_API_KEY}   # Pre-registers the Caddy bouncer automatically
    volumes:
      - crowdsec-db:/var/lib/crowdsec/data
      - /export/Docker/caddy/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - caddy-logs:/var/log/caddy:ro
    networks:
      - crowdsec_net
    deploy:
      placement:
        constraints:
          - node.hostname == znas

volumes:
  caddy-logs:
  crowdsec-db:

networks:
  netgrimoire:
    external: true
  vpn:
    external: true
  crowdsec_net:
    driver: overlay   # Swarm overlay network