version: "3.0"

#
# updated: 2023-04-01
# stack:   traefik
#

services:
  traefik:
    container_name: traefik
    hostname: traefik
    image: traefik:3.0
    restart: always
    stdin_open: true
    tty: true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
      - "6082:6082"
    depends_on:
      - varnish
      - modsecurity
    environment:
      TZ: "Europe/Paris"
      CF_API_EMAIL: [cloudflare API email account]
      #CF_DNS_API_TOKEN: "[cloudflare dns token]"
      #CF_DNS_API_TOKEN: "[cloudflare api token]"
      CF_API_KEY: "[cloudflare api key]"
    labels:
      - "traefik.enable=true"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker/ssl/:/ssl/:ro
      - /opt/docker/traefik/conf/traefik.yml:/traefik.yml:ro
      - /opt/docker/traefik/conf/config.yml:/config.yml:ro
      - /opt/docker/traefik/datas/acme.json:/acme.json
      - /opt/docker/traefik/datas/log/:/logs/
  varnish:
    container_name: varnish
    hostname: varnish
    image: varnish:latest
    restart: always
    stdin_open: true
    tty: true
    networks:
      - proxy
    ports:
      - "1080:80"
    command: "-a :1080,PROXY -s default,1G -p thread_pools=16 -p tcp_fastopen=on -p thread_pools=2 -p thread_pool_min=500 -p thread_pool_max=5000"
    environment:
      TZ: "Europe/Paris"
      VARNISH_SIZE: 1G
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker/traefik/conf/varnish.vcl:/etc/varnish/default.vcl:ro
      - /mnt/varnish:/var/lib/varnish
    tmpfs:
      - /tmp:exec
  fail2ban:
    container_name: fail2ban
    hostname: fail2ban
    image: crazymax/fail2ban:latest
    restart: always
    stdin_open: true
    tty: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - proxy
    depends_on:
      - traefik
    environment:
      TZ: "Europe/Paris"
      F2B_DB_PURGE_AGE: "14d"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/traefik/datas/f2b:/data
      - /opt/docker/traefik/datas/log:/var/log/traefik
  modsecurity:
    container_name: modsecurity
    hostname: modsecurity
    image: owasp/modsecurity-crs:apache
    restart: always
    stdin_open: true
    tty: true
    networks:
      - proxy
    ports:
      - "2080:80"
    environment:
      TZ: "Europe/Paris"
      PARANOIA: 1
      ANOMALY_INBOUND: 10
      ANOMALY_OUTBOUND: 5
      BACKEND: http://whoami
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    container_name: whoami
    hostname: whoami
    image: containous/whoami:latest
    restart: always
    stdin_open: true
    tty: true
    networks:
      - proxy
    environment:
      TZ: "Europe/Paris"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
networks:
  proxy:
    external: true