version: "3.8"

networks:
  mapleopentech-public-prod:
    external: true

volumes:
  nginx-ssl-certs:
  nginx-ssl-www:

services:
  nginx:
    image: nginx:alpine
    hostname: nginx
    networks:
      - mapleopentech-public-prod
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - nginx-ssl-certs:/etc/letsencrypt
      - nginx-ssl-www:/var/www/certbot
      - /var/run/docker.sock:/tmp/docker.sock:ro # For nginx-proxy
    configs:
      - source: nginx_config
        target: /etc/nginx/nginx.conf
      - source: nginx_site_config
        target: /etc/nginx/conf.d/default.conf
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.backend == true # Same node as backend
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
      resources:
        limits:
          memory: 256M
          cpus: "0.5"
        reservations:
          memory: 128M
          cpus: "0.25"
    healthcheck:
      test:
        [
          "CMD",
          "wget",
          "--no-verbose",
          "--tries=1",
          "--spider",
          "http://localhost:80/health",
        ]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

  certbot:
    image: certbot/certbot:latest
    hostname: certbot
    volumes:
      - nginx-ssl-certs:/etc/letsencrypt
      - nginx-ssl-www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.backend == true
      restart_policy:
        condition: on-failure

configs:
  nginx_config:
    file: ./nginx.conf
  nginx_site_config:
    file: ./site.conf