version: '3.8'

services:

  nginx:
    image: bunkerity/bunkerized-nginx
    ports:
      - published: 80
        target: 8080
        mode: host
        protocol: tcp
      - published: 443
        target: 8443
        mode: host
        protocol: tcp
    # bunkerized-nginx runs as an unprivileged user with UID/GID 101
    # don't forget to edit the permissions of the files and folders accordingly
    volumes:
      - /shared/confs:/etc/nginx:ro
      - /shared/letsencrypt:/etc/letsencrypt:ro
      - /shared/acme-challenge:/acme-challenge:ro
      - /shared/www:/www:ro
      - /shared/cache:/cache:ro
    environment:
      - SWARM_MODE=yes
      - USE_API=yes
      - API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
      - MULTISITE=yes
      - SERVER_NAME=
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_REDIS=yes
      - REDIS_HOST=redis
    networks:
      - net_config
      - net_services
    deploy:
      mode: global
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - "bunkerized-nginx.AUTOCONF"

networks:
  net_config:
    external: true
  net_services:
    external: true