x-environment: &default-environment
  LOG_LEVEL: "INFO"
  ACME_PATH: "./acme.json"
  NETWORK: "${NETWORK:-web}"
  DOMAINNAME: "${DOMAINNAME:-furyhawk.lol}"
  TZ: "${TZ:-Asia/Singapore}"
  FIN_LOCATION: ""
  STREAMLIT_FIN_SERVER_PORT: "8501"
  GROQ_API_KEY: "${GROQ_API_KEY}"
  BAI_LOCATION: ""
  STREAMLIT_BAI_SERVER_PORT: "8502"

volumes:
  logs: {}
  production_traefik: {}
  portainer_data: {}

services:

  portainer:
    image: portainer/portainer-ce:sts
    command: -H unix:///var/run/docker.sock
    security_opt:
      - no-new-privileges:true
    environment:
      <<: *default-environment
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    expose:
      - 8000
      - 9000
    networks:
      - net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=web-secure"
      - "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAINNAME}`) || Host(`port.${DOMAINNAME}`)"
      - "traefik.http.routers.portainer.middlewares=csrf@file"
      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
      - "traefik.http.routers.portainer.service=portainer_service"
      - "traefik.http.services.portainer_service.loadbalancer.server.port=9000"

  traefik:
    environment:
      <<: *default-environment
    build:
      context: .
      dockerfile: ./traefik/Dockerfile
    image: traefik_production
    security_opt:
      - no-new-privileges:true
    restart: always
    deploy:
      placement:
        constraints:
          - node.role == manager
    volumes:
      - logs:/logs
      - production_traefik:/etc/traefik/acme:z
      - /var/run/docker.sock:/var/run/docker.sock
    extra_hosts:
    - "host.docker.internal:host-gateway"
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - "7687:7687"
      - "8083:8083"
      - "8084:8084"
      - "8883:8883"
      - "5432:5432"
      # - "8080:8080"
      # - "1883:1883"
      # - 18083:18083
    networks:
      - net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.routers.traefik.rule=Host(`dashboard.${DOMAINNAME}`)"
      - "traefik.http.routers.traefik.middlewares=auth@file"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"