services:
  traefik:
    image: "traefik:v3.0.0"
    container_name: "traefik"
    restart: unless-stopped
    command:
      - "--accesslog"
      - "--accesslog.filepath=/var/log/traefik/access.log"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"

      - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      - "--experimental.plugins.bouncer.version=v1.3.0"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # - './ban.html:/ban.html:ro'
      # - './captcha.html:/captcha.html:ro'
      - "logs:/var/log/traefik"
    ports:
      - 8000:80
      - 8080:8080
    depends_on:
      - 'crowdsec'

  whoami1:
    image: traefik/whoami
    container_name: "simple-service-foo"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      # Definition of the router
      - "traefik.http.routers.router-foo.rule=Path(`/foo`)"
      - "traefik.http.routers.router-foo.entrypoints=web"
      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
      # Definition of the service
      - "traefik.http.services.service-foo.loadbalancer.server.port=80"

  whoami2:
    image: traefik/whoami
    container_name: "simple-service-bar"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      # Definition of the router
      - "traefik.http.routers.router-bar.rule=Path(`/bar`)"
      - "traefik.http.routers.router-bar.entrypoints=web"
      - "traefik.http.routers.router-bar.middlewares=crowdsec@docker"
      # Definition of the service
      - "traefik.http.services.service-bar.loadbalancer.server.port=80"
      # Definitin of the middleware
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
      # crowdseclapikey is the key to authenticate to crowdsec
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=FIXME-LAPI-KEY-1="
      # enable AppSec real time check
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecenabled=true"
      # forwardedheaderstrustedips should be the IP of the proxy that is in front of traefik (if any)
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"

  crowdsec:
    image: crowdsecurity/crowdsec:v1.6.8
    container_name: "crowdsec"
    restart: unless-stopped
    environment:
      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
      CUSTOM_HOSTNAME: crowdsec
      # We need to register one api key per service we will use
      BOUNCER_KEY_TRAEFIK: FIXME-LAPI-KEY-1=
    volumes:
      - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - logs:/var/log/traefik:ro
      - crowdsec-db:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec/
    labels:
      - "traefik.enable=false"

volumes:
  logs:
  crowdsec-db:
  crowdsec-config: