# Caddy with CrowdSec Security
services:
  # CrowdSec - Security automation service that protects from attacks
  crowdsec:
    container_name: crowdsec
    image: ghcr.io/crowdsecurity/crowdsec:v1.6.10  # Official CrowdSec image
    restart: unless-stopped  # Auto-restart unless explicitly stopped
    
    # Environment configuration
    environment:
      - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}  # API key for Caddy integration
      - GID=${GID}  # Group ID for file permissions
      - COLLECTIONS=${COLLECTIONS}  # Security collections to enable
    
    # Persistent storage volumes
    volumes:
      - ${APPDATA_PATH}/caddy/crowdsec-acquis.d:/etc/crowdsec/acquis.d  # Log parsers
      - ${APPDATA_PATH}/caddy/crowdsec-db:/var/lib/crowdsec/data/  # Security database
      - ${APPDATA_PATH}/caddy/crowdsec-config:/etc/crowdsec/  # Configuration files
      - ${APPDATA_PATH}/caddy/caddy-logs:/var/log/caddy:ro  # Read-only log access
    
    # Networks
    networks:
      proxy:
        ipv4_address: 172.30.0.3
    
    # Health check configuration
    healthcheck:
      test: ["CMD-SHELL", "wget --spider --quiet --tries=1 --timeout=5 http://localhost:8080/health > /dev/null 2>&1 || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s 

  # Caddy web server with CrowdSec security
  caddy:
    container_name: caddy
    image: docker.io/ryuupendragon/caddy-crowdsec:2.10.0  # Custom Caddy image with CrowdSec plugins
    restart: unless-stopped  # Auto-restart on failure
    
    # Service dependencies
    depends_on:
      crowdsec:
        condition: service_healthy  # Requires working CrowdSec before starting
    
    # Required network capabilities
    cap_add:
      - NET_ADMIN  # Needed for network-level operations
    
    # Environment configuration
    environment:
      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}  # Security key for CrowdSec integration
    
    # Persistent storage volumes
    volumes:
      - ${APPDATA_PATH}/caddy/caddy-file:/etc/caddy  # Caddyfile configuration
      - ${APPDATA_PATH}/caddy/caddy-config:/config  # Automatic HTTPS certificates
      - ${APPDATA_PATH}/caddy/caddy-data:/data  # Site data and assets
      - ${APPDATA_PATH}/caddy/caddy-logs:/logs  # Access logs
      - ${APPDATA_PATH}/caddy/caddy-srv:/srv  # Served content
    
    # Network ports
    ports:
      - ${HTTP_PORT}:80  # HTTP traffic
      - ${HTTPS_PORT}:443  # HTTPS traffic
      - ${HTTPS_PORT}:443/udp  # QUIC/HTTP3 support
    
    # Networks
    networks:
      proxy:
        ipv4_address: 172.30.0.2

networks:
  proxy:
    name: proxy
    driver: bridge
    ipam:
     config:
       - subnet: 172.30.0.0/16
         gateway: 172.30.0.1