services:
  # ==========================
  # Vaultwarden (Password manager)
  # ==========================
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    volumes:
      - ./services/vaultwarden:/data
    environment:
      DOMAIN: "https://${VAULT_DOMAIN}"
    networks:
      - proxy

  # ==========================
  # 2FAuth (2FA manager)
  # ==========================
  2fauth:
    image: 2fauth/2fauth:latest
    container_name: 2fauth
    restart: always
    volumes:
      - ./services/2fauth:/data
    environment:
      APP_NAME: 2FAuth
      APP_ENV: production
      APP_DEBUG: false
      APP_TIMEZONE: UTC
      SITE_OWNER: ${EMAIL}      
      APP_KEY:  ${TWOFAUTH_APP_KEY}
      APP_URL: "https://${AUTH_DOMAIN}"
      ASSET_URL: "https://${AUTH_DOMAIN}"
      TRUSTED_PROXIES: '*'
      LOG_CHANNEL: daily
      LOG_LEVEL: notice
    networks:
      - proxy

  # ==========================
  # Filebrowser (Cloud file manager)
  # ==========================
  filebrowser:
    image: filebrowser/filebrowser:latest
    container_name: filebrowser
    restart: always
    volumes:
      - ./services/filebrowser/srv:/srv
      - ./services/filebrowser/database:/database
      - ./services/filebrowser/config:/config
    user: "1000:1000"
    networks:
      - proxy

  # ==========================
  # WG-Easy (WireGuard VPN)
  # ==========================
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:latest
    container_name: wg-easy
    restart: always
    environment:
      WG_HOST: ${VPN_DOMAIN}
      PASSWORD_HASH: ${WG_EASY_PASSWORD_HASH}
    volumes:
      - ./services/wg-easy/data:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - proxy

  # ==========================
  # Gitea Database (PostgreSQL)
  # ==========================
  gitea-db:
    image: postgres:15
    container_name: gitea-db
    restart: always
    environment:
      POSTGRES_USER: gitea
      POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
      POSTGRES_DB: gitea
    volumes:
      - ./services/gitea/postgres:/var/lib/postgresql/data
    networks:
      - proxy

  # ==========================
  # Gitea (Git service)
  # ==========================
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: always
    depends_on:
      - gitea-db
    environment:
      USER_UID: 1000
      USER_GID: 1000
      GITEA__database__DB_TYPE: postgres
      GITEA__database__HOST: gitea-db:5432
      GITEA__database__NAME: gitea
      GITEA__database__USER: gitea
      GITEA__database__PASSWD: ${GITEA_DB_PASSWORD}
    volumes:
      - ./services/gitea/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22"
    networks:
      - proxy

  # ==========================
  # Caddy (Reverse proxy)
  # ==========================
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: always
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    volumes:
      - ./caddy:/usr/bin/caddy 
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      VAULT_DOMAIN: ${VAULT_DOMAIN}
      AUTH_DOMAIN: ${AUTH_DOMAIN}
      STORAGE_DOMAIN: ${STORAGE_DOMAIN}
      VPN_DOMAIN: ${VPN_DOMAIN}
      GITEA_DOMAIN: ${GITEA_DOMAIN}
      EMAIL: ${EMAIL}
      PORKBUN_API_KEY: ${PORKBUN_API_KEY}
      PORKBUN_API_SECRET: ${PORKBUN_API_SECRET}
      LOG_FILE: /data/access.log
    networks:
      - proxy

  # ==========================
  # Portainer (Docker manager)
  # ==========================
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: always
    ports:
      - 9443:9443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./services/portainer:/data

  # ==========================
  # Uptime Kuma (uptime monitor)
  # ==========================
  uptimekuma:
    image: louislam/uptime-kuma:latest
    container_name: uptime-kuma
    restart: always
    ports:
      - 3001:3001
    volumes:
      - ./services/uptimekuma:/app/data

  # ==========================
  # Dozzle (live logs viewer)
  # ==========================
  dozzle:
    image: amir20/dozzle:latest
    container_name: dozzle
    restart: always
    ports:
      - 9999:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  # ==========================
  # Netdata (system monitoring)
  # ==========================
  netdata:
    image: netdata/netdata:latest
    container_name: netdata
    restart: always
    ports:
      - 19999:19999
    cap_add:
      - SYS_PTRACE
    security_opt:
      - apparmor:unconfined
    volumes:
      - ./services/netdata/config:/etc/netdata
      - ./services/netdata/lib:/var/lib/netdata
      - ./services/netdata/cache:/var/cache/netdata
      - /var/run/docker.sock:/var/run/docker.sock
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro

networks:
  proxy:
    driver: bridge