version: '3.1'

services:

  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    ports:
      - "443:443"
      - "127.0.0.1:8080:8080"
    expose:
      - "8082"
    command:
      - "--api=true"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.metrics.address=:8082"
      - "--metrics.prometheus.entryPoint=metrics"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      # TESTING
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=$MAIL"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    volumes:
      - "./traefik/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"

### WIREGUARD
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=$PUID
      - PGID=$PGID
    volumes:
      - ./wireguard/config/wg0.conf:/config/wg0.conf
      - /lib/modules:/lib/modules
    # Expose prometheus port
    expose:
      - 9090
    ports:
      - $SERVERPORT:$SERVERPORT/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

### MONITORING
  prometheus:
    image: prom/prometheus:v2.30.3
    container_name: prometheus
    volumes:
      - ./prometheus/prometheus-lt-1.yml:/etc/prometheus/prometheus.yml
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/etc/prometheus/console_libraries'
      - '--web.console.templates=/etc/prometheus/consoles'
      - '--storage.tsdb.retention.time=200h'
      - '--web.enable-lifecycle'
    restart: unless-stopped
    network_mode: "service:wireguard"
    labels:
      org.label-schema.group: "monitoring"
    depends_on:
      - wireguard

  nodeexporter:
    image: prom/node-exporter:v1.2.2
    container_name: nodeexporter
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /:/rootfs:ro
    command:
      - '--path.procfs=/host/proc'
      - '--path.rootfs=/rootfs'
      - '--path.sysfs=/host/sys'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
    restart: unless-stopped
    expose:
      - 9100
    labels:
      org.label-schema.group: "monitoring"

  cadvisor:
    image: gcr.io/cadvisor/cadvisor:v0.42.0
    container_name: cadvisor
    privileged: true
    devices:
      - /dev/kmsg:/dev/kmsg
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:ro
      - /sys:/sys:ro
      - /var/lib/docker:/var/lib/docker:ro
      #- /cgroup:/cgroup:ro #doesn't work on MacOS only for Linux
    restart: unless-stopped
    expose:
      - 8080
    labels:
      org.label-schema.group: "monitoring"

  pushgateway:
    image: prom/pushgateway:v1.4.2
    container_name: pushgateway
    restart: unless-stopped
    expose:
      - 9091
    labels:
      org.label-schema.group: "monitoring"

### POKT
  pocket-lt-1:
    build: pokt
    ports:
      - "127.0.0.1:8081:8081"
      - "26656:26656"
    expose:
      - 26656
      - 26660
      - 8081
      - 8083
    #command: pocket start --simulateRelay
    environment:
      - POCKET_CORE_KEY=$POKT_LT_1_POCKET_CORE_KEY
      - POCKET_CORE_PASSPHRASE=$POKT_LT_1_POCKET_CORE_PASSPHRASE
      - POCKET_SNAPSHOT=$POCKET_SNAPSHOT
    volumes:
      - pocket-lt-1:/home/app/.pocket/data
      - pocket-lt-1-config:/home/app/.pocket/config
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.pocket-lt-1.loadbalancer.server.port=8081"
      - "traefik.http.routers.pocket-lt-1.entrypoints=websecure"
      - "traefik.http.routers.pocket-lt-1.tls.certresolver=myresolver"
      - "traefik.http.routers.pocket-lt-1.rule=Host(`$POKT_LT_1_DOMAIN`) && Path(`/v1`, `/v1/client/{dispatch|relay|challenge|sim}`)"

  pocket-lt-2:
    build: pokt
    ports:
      - "127.0.0.1:8082:8081"
      - "26657:26656"
    expose:
      - 26656
      - 26660
      - 8081
      - 8083
    #command: pocket start --simulateRelay
    environment:
      - POCKET_CORE_KEY=$POKT_LT_2_POCKET_CORE_KEY
      - POCKET_CORE_PASSPHRASE=$POKT_LT_2_POCKET_CORE_PASSPHRASE
      - POCKET_SNAPSHOT=$POCKET_SNAPSHOT
    volumes:
      - pocket-lt-2:/home/app/.pocket/data
      - pocket-lt-2-config:/home/app/.pocket/config
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.pocket-lt-2.loadbalancer.server.port=8081"
      - "traefik.http.routers.pocket-lt-2.entrypoints=websecure"
      - "traefik.http.routers.pocket-lt-2.tls.certresolver=myresolver"
      - "traefik.http.routers.pocket-lt-2.rule=Host(`$POKT_LT_2_DOMAIN`) && Path(`/v1`, `/v1/client/{dispatch|relay|challenge|sim}`)"

  pocket-lt-3:
    build: pokt
    ports:
      - "127.0.0.1:8083:8081"
      - "26658:26656"
    expose:
      - 26656
      - 26660
      - 8081
      - 8083
    #command: pocket start --simulateRelay
    environment:
      - POCKET_CORE_KEY=$POKT_LT_3_POCKET_CORE_KEY
      - POCKET_CORE_PASSPHRASE=$POKT_LT_3_POCKET_CORE_PASSPHRASE
      - POCKET_SNAPSHOT=$POCKET_SNAPSHOT
    volumes:
      - pocket-lt-3:/home/app/.pocket/data
      - pocket-lt-3-config:/home/app/.pocket/config
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.pocket-lt-3.loadbalancer.server.port=8081"
      - "traefik.http.routers.pocket-lt-3.entrypoints=websecure"
      - "traefik.http.routers.pocket-lt-3.tls.certresolver=myresolver"
      - "traefik.http.routers.pocket-lt-3.rule=Host(`$POKT_LT_3_DOMAIN`) && Path(`/v1`, `/v1/client/{dispatch|relay|challenge|sim}`)"

  pocket-lt-4:
    build: pokt
    ports:
      - "127.0.0.1:8084:8081"
      - "26659:26656"
    expose:
      - 26656
      - 26660
      - 8081
      - 8083
    #command: pocket start --simulateRelay
    environment:
      - POCKET_CORE_KEY=$POKT_LT_4_POCKET_CORE_KEY
      - POCKET_CORE_PASSPHRASE=$POKT_LT_4_POCKET_CORE_PASSPHRASE
      - POCKET_SNAPSHOT=$POCKET_SNAPSHOT
    volumes:
      - pocket-lt-4:/home/app/.pocket/data
      - pocket-lt-4-config:/home/app/.pocket/config
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.pocket-lt-4.loadbalancer.server.port=8081"
      - "traefik.http.routers.pocket-lt-4.entrypoints=websecure"
      - "traefik.http.routers.pocket-lt-4.tls.certresolver=myresolver"
      - "traefik.http.routers.pocket-lt-4.rule=Host(`$POKT_LT_4_DOMAIN`) && Path(`/v1`, `/v1/client/{dispatch|relay|challenge|sim}`)"

  haproxy:
    build: haproxy
    volumes:
      - ./haproxy:/usr/local/etc/haproxy
    expose:
      - "8404"
      - "80"
    ports:
      - "127.0.0.1:80:80"
    restart: always
    labels:
      - "prometheus-scrape.enabled=true"
      - "prometheus-scrape.port=8404"
      - "prometheus-scrape.job_name=haproxy"
      - "prometheus-scrape.metrics_path=/metrics"

### VOLUMES
volumes:
  pocket-lt-1:
  pocket-lt-1-config:
  pocket-lt-2:
  pocket-lt-2-config:
  pocket-lt-3:
  pocket-lt-3-config:
  pocket-lt-4:
  pocket-lt-4-config:
  prometheus_data: