services/swarm/stack/caddy/caddy.yaml

configs:
  caddy-basic-content:
    file: ./Caddyfile
    labels:
      caddy:

services:
  caddy:
    image: ghcr.io/serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy:latest
    ports:
      - 8900:80
      - 443:443
      - 2019:2019
    environment:
      CADDY_INGRESS_NETWORKS: netgrimoire
      CADDY_DOCKER_EVENT_THROTTLE_INTERVAL: 2000   # Prevents non-deterministic reload with CrowdSec module
      CROWDSEC_API_KEY: BYSLg/wKOa7wlHYzChJpBVJA06Ukc7G6fKJCvBwjyZg
    networks:
      - netgrimoire
      - vpn
      - crowdsec_net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /export/Docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /export/Docker/caddy:/data
      - caddy-logs:/var/log/caddy
    deploy:
      placement:
        constraints:
          - node.hostname == znas
      labels:
        gremlin.enable: "false"

  crowdsec:
    image: crowdsecurity/crowdsec
    restart: unless-stopped
    environment:
      COLLECTIONS: "crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
      BOUNCER_KEY_CADDY: BYSLg/wKOa7wlHYzChJpBVJA06Ukc7G6fKJCvBwjyZg   # Pre-registers the Caddy bouncer automatically
    volumes:
      - crowdsec-db:/var/lib/crowdsec/data
      - /export/Docker/caddy/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - caddy-logs:/var/log/caddy:ro
    networks:
      - crowdsec_net
    deploy:
      placement:
        constraints:
          - node.hostname == znas
      labels:
        gremlin.enable: "false"

volumes:
  caddy-logs:
  crowdsec-db:

networks:
  netgrimoire:
    external: true
  vpn:
    external: true
  crowdsec_net:
    driver: overlay   # Swarm overlay network