services:
  caddy:
    build:
      context: .
      target: caddy
    container_name: caddy
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - CLOUDFLARE_EMAIL=${CF_EMAIL}
      - CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN}
      - ACME_AGREE=true
      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
    ports:
      - 80:80
      - 443:443
      - "443:443/udp"
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
      - caddy_logs:/var/log/caddy
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true

  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: unless-stopped
    environment:
      - GID=1000
      - COLLECTIONS="crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelisth-good-actors"
      - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
    volumes:
      - crowdsec_db:/var/lib/crowdsec/data/
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - caddy_logs:/var/log/caddy:ro
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true

volumes:
  caddy_data: {}
  caddy_config: {}
  caddy_logs: {}
  crowdsec_db: {}

networks:
  proxy:
    external: true