version: "3.0"

#
# updated: 2023-08-10
# stack:   squid
#

x-logging: &x-logging
  logging:
    driver: loki
    options:
      loki-url: "http://loki:3100/loki/api/v1/push"
      loki-retries: "5"
      loki-batch-size: "400"
      keep-file: "false"
      max-size: "100m"
      max-file: "1"

x-environment: &x-environment
    TZ: "Europe/Paris"
    PUID: 1000
    PGID: 1000

x-common: &x-common
  <<: *x-logging
  restart: "no"
  stop_grace_period: 5s
  stdin_open: true
  tty: true
  privileged: false
  security_opt:
    - no-new-privileges=true
  cap_drop:
    - ALL
  cap_add:
    - KILL
  dns:
    - 1.1.1.1
    - 8.8.8.8
    - 1.0.0.1
    - 8.8.4.4
  ipc: "shareable"
  extra_hosts:
    - "template.home:1.2.3.4"
  user: 1000:1000
  environment:
    *x-environment
  labels:
    com.centurylinklabs.watchtower.enable: true
    logging: "promtail"
    com.stack.name: "common"
    com.stack.service.name: "common"
  devices:
    - /dev/kmsg:/dev/kmsg
  deploy:
    resources:
      limits:
        cpus: "0.50"
        memory: 64M
  ulimits:
    nproc: 65535
    nofile:
      soft: 20000
      hard: 40000
  tmpfs:
    - /tmp:rw,noexec,nosuid,size=64k
  sysctls:
    net.core.somaxconn: 1024
    net.ipv4.tcp_syncookies: 0
x-volume-timezone: &x-volume-timezone "/etc/timezone:/etc/timezone:ro"
x-volume-localtime: &x-volume-localtime "/etc/localtime:/etc/localtime:ro"
x-volume-docker-socket: &x-volume-docker-socket "/var/run/docker.sock:/var/run/docker.sock:rw"
x-volume-cgroups: &x-volume-cgroups "/proc/cgroups:/cgroup:rw"
x-volume-ssl: &x-volume-ssl "/opt/docker/ssl:/ssl:ro"

services:
  squid:
    <<: *x-common
    user: 0:0
    privileged: true
    cap_add:
      - DAC_OVERRIDE
      - DAC_READ_SEARCH
      - CHOWN
      - FOWNER
      - FSETID
      - SETGID
      - SETUID
      - MKNOD
      - SYS_ADMIN
      - BPF
      - SETFCAP
      - SETPCAP
      - SYS_CHROOT
      - SYS_RAWIO
      - IPC_LOCK
      - IPC_OWNER
      - NET_BIND_SERVICE
      - NET_ADMIN
      - NET_RAW
      - NET_BROADCAST
    container_name: squid
    hostname: squid
    image: distahl/squid:latest
    restart: always
    ports:
      - "3128:3128"
      - "3129:3129"
    expose:
      - "3128"
      - "3129"
    healthcheck:
      test: [ "CMD", "squid", "--version" ]
      interval: 30s
      timeout: 30s
      retries: 5
      start_period: 30s
    environment:
      <<: *x-environment
      PROXY_UID: 1000
      PROXY_GID: 1000
    labels:
      com.stack.name: "squid"
      com.stack.service.name: "squid"
    deploy:
      resources:
        limits:
          cpus: "4.0"
          memory: 1G
    tmpfs:
      - /tmp:rw,noexec,nosuid,size=512M
    volumes:
      - *x-volume-timezone
      - *x-volume-localtime
      - *x-volume-cgroups
      - /opt/docker/squid/conf:/etc/squid
      - /opt/docker/squid/datas/logs:/var/log/squid
      - type: tmpfs
        target: /var/spool/squid
        tmpfs:
          size: 1G
          mode: 01777