# admin token:
# text input: glEY8%iK!&r44KxUj8Bv1Yj$68mcHElc
# salt: ^85Du@M&

name: implohq

include:
  - ./services/photos/compose.yaml

services:
  proxy:
    image: traefik:v2.10
    container_name: implohq-proxy
    networks:
      - proxy
    restart: always
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
      - "22:22"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "./certs:/certs"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./dynamic:/etc/traefik/dynamic"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.network=implohq_proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.ssh.address=:22"
      - "--certificatesresolvers.webresolver.acme.tlschallenge=true"
      # - "--certificatesresolvers.webresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.webresolver.acme.email=quirin.ecker@bajupa.com"
      - "--certificatesresolvers.webresolver.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

  smarthome:
    container_name: implohq-smarthome
    networks:
      - proxy
    image: homeassistant/home-assistant:stable
    restart: always
    volumes:
      - ./storage/home-assistant/config:/config
    expose:
      - 8123
    ports:
      - "5683:5683/udp"
      - "8123:8123"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homeassistant.rule=Host(`smarthome.implohq.de`)"
      - "traefik.http.services.homeassistant.loadbalancer.server.port=8123"
      - "traefik.http.routers.homeassistant.entrypoints=websecure"
      - "traefik.http.routers.homeassistant.tls.certresolver=webresolver"

  cloud:
    container_name: implohq-cloud
    networks:
      - proxy
      - database
    image: lscr.io/linuxserver/nextcloud:latest
    restart: always
    volumes:
      - ./storage/nextcloud/data:/data
      - ./storage/nextcloud/config:/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    expose:
      - 80
    ports:
      - "8001:80"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.implohq.de`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=webresolver"
    env_file:
      - .env.cloud

  database:
    container_name: implohq-database
    restart: always
    image: postgres
    networks:
      - database
    ports:
      - "5432:5432"
    volumes:
      - ./storage/postgres/:/var/lib/postgresql
    env_file:
      - .env.database

  broker:
    container_name: implohq-broker
    image: eclipse-mosquitto
    ports:
      - "1883:1883"
      - "8883:8883"
    volumes:
      - ./storage/mqtt/config:/mosquitto/config/
      - ./storage/mqtt/certs/:/mosquitto/certs/

  vpn:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: implohq-vpn
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=vpn.implohq.de #optional
      - SERVERPORT=51820 #optional
      - PEERS=4 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS= #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./storage/wireguard/config:/config
      - ./storage/wireguard/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  password-manager:
    image: vaultwarden/server:latest
    container_name: implohq-password-manager
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 9445:80 #map any custom port to use (replace 9445 not 80)
    volumes:
      - ./storage/vaultwarden/:/data:rw
    environment:
      - ADMIN_TOKEN=$argon2i$v=19$m=16,t=2,p=1$Xjg1RHVATSY$6EP9M9H3QUOnmlEDPlX/5g
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - DOMAIN=https://passwords.implohq.de
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`passwords.implohq.de`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.domains[0].main=passwords.implohq.de"
    env_file:
      - .env.password-manager

      # Directly reference the certificate files
  git-server:
    image: docker.gitea.com/gitea:1.24.6
    container_name: implohq-git-server
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    volumes:
      - ./storage/gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - proxy
    ports:
      - "2222:22"
    expose:
      - 3000
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.git.rule=Host(`git.implohq.de`)"
      - "traefik.http.services.git.loadbalancer.server.port=3000"
      - "traefik.http.routers.git.entrypoints=websecure"
      - "traefik.http.routers.git.tls.certresolver=webresolver"
      # ssh config
      - "traefik.tcp.routers.git.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.git.entrypoints=ssh"
      - "traefik.tcp.services.git.loadbalancer.server.port=22"

networks:
  proxy:
    ipam:
      config:
        - subnet: "172.19.0.0/16"
          gateway: "172.19.0.1"
  database:
  portainer: