services:
  # Database-Stack
  adminer:
    image: adminer:5
    container_name: adminer
    depends_on:
      - mariadb
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.adminer.rule=Host(`adminer.${DOMAIN}`)"
      - "traefik.http.routers.adminer.entrypoints=websecure"
      - "traefik.http.routers.adminer.middlewares=https-redirect"
      - "traefik.http.routers.adminer.tls=true"
      - "traefik.http.routers.adminer.tls.certresolver=le"
      - "traefik.http.services.adminer.loadbalancer.server.port=8080"
    networks:
      - database
      - traefik
    restart: unless-stopped

  mariadb:
    image: mariadb:12
    container_name: mariadb
    environment:
      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
      MARIADB_USER: ${MARIADB_USER}
      MARIADB_PASSWORD: ${MARIADB_PASSWORD}
    labels:
      - "traefik.enable=false"
    volumes:
      - ./volumes/mariadb/data:/var/lib/mysql
    networks:
      - database
    restart: unless-stopped

  postgres:
    image: postgres:17
    container_name: postgres
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    volumes:
      - ./volumes/postgres/data:/var/lib/postgresql/data
    networks:
      - database
    restart: unless-stopped

  # Traefik
  traefik:
    image: traefik:3
    container_name: traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      # Middlewares
      - "traefik.http.middlewares.admin-auth.basicauth.users=${TRAEFIK_USERNAME}:${TRAEFIK_HASHED_PASSWORD}"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.https-redirect.redirectscheme.port=443"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.forceSTSHeader=true"

      # Timeout middlewares
      - "traefik.http.middlewares.timeout.headers.customrequestheaders.X-Forwarded-Timeout=120"
      - "traefik.http.middlewares.timeout.headers.customresponseheaders.X-Response-Timeout=120"

      # routers
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=web,websecure"
      - "traefik.http.routers.traefik.middlewares=admin-auth,https-redirect"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.service=api@internal"

      # Services
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

    command:
      # Enable Docker provider
      - --providers.docker
      # Disable exposing services without Traefik labels
      - --providers.docker.exposedbydefault=false
      # Listen on port 2424 for SSH requests
      - --entrypoints.gitlab-ssh.address=:2424
      # Listen on port 80 for HTTP requests
      - --entrypoints.web.address=:80
      # Listen on port 443 for HTTPS requests
      - --entrypoints.websecure.address=:443
      # Redirect HTTP requests to HTTPS
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      # Use the specified email address for Let's Encrypt certificate requests
      - --certificatesresolvers.le.acme.email=${TRAEFIK_EMAIL}
      # Use the HTTP challenge for Let's Encrypt certificate requests
      - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
      # Use the specified storage location for Let's Encrypt certificates
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS-ALPN-01 challenge for Let's Encrypt certificate requests
      - --certificatesresolvers.le.acme.tlschallenge=true
      # Enable access log output
      - --accesslog
      # Enable general log output
      - --log.level=INFO
      # Enable the Traefik API
      - --api
      # Set global timeouts
      - --serverstransport.forwardingtimeouts.dialtimeout=120s
      - --serverstransport.forwardingtimeouts.responseheadertimeout=120s
      - --serverstransport.forwardingtimeouts.idleconntimeout=120s
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - server-certificates:/certificates
    ports:
      - 2424:2424
      - 80:80
      - 443:443
    networks:
      - traefik
    restart: unless-stopped

  mta-sts:
    image: nginx:1.27-alpine
    container_name: mta-sts
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.mta-sts.rule=Host(`mta-sts.${DOMAIN}`)"
      - "traefik.http.routers.mta-sts.entrypoints=websecure"
      - "traefik.http.routers.mta-sts.tls=true"
      - "traefik.http.routers.mta-sts.tls.certresolver=le"
      - "traefik.http.services.mta-sts.loadbalancer.server.port=80"
    volumes:
      - ./mta-sts:/usr/share/nginx/html:ro
    networks:
      - traefik
    restart: unless-stopped

volumes:
  server-certificates:
    name: server-certificates

networks:
  database:
    name: database
  traefik:
    name: traefik