version: '3.2'

services:
  traefik:
    image: traefik
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /storage/traefik:/etc/traefik
    - /storage/certs:/etc/letsencrypt
    networks:
    - core-infra
    ports:
    - 80:80
    - 443:443
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        traefik.enable: "true"
        traefik.http.services.proxy.loadbalancer.server.port: "8080"
        traefik.http.services.proxy.loadbalancer.server.scheme: "http"
        traefik.http.middlewares.https_redirect.redirectscheme.scheme: "https"
        traefik.http.routers.api_http.entrypoints: "web"
        traefik.http.routers.api_http.rule: "Host(`traefik.xxps.tp.edu.tw`)"
        traefik.http.routers.api_http.middlewares: "https_redirect"
        traefik.http.routers.api_https.entrypoints: "web-secure"
        traefik.http.routers.api_https.rule: "Host(`traefik.xxps.tp.edu.tw`)"
        traefik.http.routers.api_https.tls: "true"
        traefik.http.routers.api_https.tls.certresolver: "letsencrypt"
        traefik.http.routers.api_https.service: "api@internal"
    command:
    - "--providers.docker.endpoint=unix:///var/run/docker.sock"
    - "--providers.docker.swarmMode=true"
    - "--providers.docker.exposedByDefault=false"
    - "--providers.docker.network=core-infra"
    - "--entryPoints.web.address=:80"
    - "--entryPoints.web-secure.address=:443"
    - "--certificatesResolvers.letsencrypt.acme.email=your@mail.com"
    - "--certificatesResolvers.letsencrypt.acme.storage=/etc/letsencrypt/acme.json"
    - "--certificatesResolvers.letsencrypt.acme.tlsChallenge=true"
    - "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web"
    - "--api.insecure=true"
    - "--api.dashboard=true"
    
  agent:
    image: portainer/agent
    environment:
      AGENT_CLUSTER_ADDR: tasks.agent
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    ports:
    - 9001:9001
    networks:
    - core-infra
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  portainer:
    image: portainer/portainer-ce
    command: -H tcp://tasks.agent:9001 -tlsskipverify
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /storage/portainer:/data
    networks:
    - core-infra
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        traefik.enable: "true"
        traefik.http.services.portainer.loadbalancer.server.port: "9000"
        traefik.http.services.portainer.loadbalancer.server.scheme: "http"
        traefik.http.routers.portainer.entrypoints: "web"
        traefik.http.routers.portainer.rule: "Host(`portainer.xxps.tp.edu.tw`)"
        traefik.http.routers.portainer.middlewares: "https_redirect"
        traefik.http.routers.portainer-secure.entrypoints: "web-secure"
        traefik.http.routers.portainer-secure.rule: "Host(`portainer.xxps.tp.edu.tw`)"
        traefik.http.routers.portainer-secure.tls: "true"
        traefik.http.routers.portainer-secure.tls.certresolver: "letsencrypt"

networks:
  core-infra:
    external: true