services:
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:v1.6.1-2
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${APP_DATA_DIR}/data/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - ${APP_DATA_DIR}/data/crowdsec:/etc/crowdsec
      - ${APP_DATA_DIR}/data/crowdsec/db:/var/lib/crowdsec/data
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/traefik:/var/log/traefik:ro
      # other containers will output their log files too
      # sudo mkdir /var/log/crowdsec
      - /var/log/crowdsec:/var/log/crowdsec:ro
    environment:
      - COLLECTIONS=
        crowdsecurity/linux
        crowdsecurity/traefik
        crowdsecurity/http-cve
        crowdsecurity/whitelist-good-actors
        crowdsecurity/sshd
      - GID=${GID-1000}
    networks:
      - tipi_main_network

  crowdsec-bouncer-traefik:
    container_name: crowdsec-bouncer-traefik
    image: fbonalair/traefik-crowdsec-bouncer:latest
    restart: unless-stopped
    depends_on:
      - crowdsec
    environment:
      # the CROWDSEC_BOUNCER_API_KEY needs to be created of the crowdsec container with:
      # To create the CROWDSEC_BOUNCER_API_KEY, execute the following command in the crowdsec container:
      # docker compose exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik
      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_API_KEY}
      - CROWDSEC_AGENT_HOST=crowdsec:8080
    networks:
      - tipi_main_network

  crowdsec-dashboard:
    container_name: crowdsec-dashboard
    #we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
    #build: ./crowdsec_config/dashboard
    image: metabase/metabase
    restart: unless-stopped
    ports:
      - ${APP_PORT}:3000
    environment:
      - MB_DB_FILE=/data/metabase.db
      - MGID=${GID-1000}
    depends_on:
      - crowdsec
    volumes:
      - ${APP_DATA_DIR}/data/crowdsec-dashboard/data:/data
      - ${APP_DATA_DIR}/data/crowdsec/db:/metabase-data
    networks:
      - tipi_main_network
    labels:
      # Main
      traefik.enable: true
      traefik.http.middlewares.crowdsec-web-redirect.redirectscheme.scheme: https
      traefik.http.services.crowdsec.loadbalancer.server.port: 3000
      # Web
      traefik.http.routers.crowdsec-insecure.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.crowdsec-insecure.entrypoints: web
      traefik.http.routers.crowdsec-insecure.service: crowdsec
      traefik.http.routers.crowdsec-insecure.middlewares: crowdsec-web-redirect
      # Websecure
      traefik.http.routers.crowdsec.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.crowdsec.entrypoints: websecure
      traefik.http.routers.crowdsec.service: crowdsec
      traefik.http.routers.crowdsec.tls.certresolver: myresolver
      # Local domain
      traefik.http.routers.crowdsec-local-insecure.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
      traefik.http.routers.crowdsec-local-insecure.entrypoints: web
      traefik.http.routers.crowdsec-local-insecure.service: crowdsec
      traefik.http.routers.crowdsec-local-insecure.middlewares: crowdsec-web-redirect
      # Local domain secure
      traefik.http.routers.crowdsec-local.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
      traefik.http.routers.crowdsec-local.entrypoints: websecure
      traefik.http.routers.crowdsec-local.service: crowdsec
      traefik.http.routers.crowdsec-local.tls: true