services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:1.6
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - /srv/nginx-proxy-acme/certs:/etc/nginx/certs:ro
      - /srv/nginx-proxy-acme/vhost.d:/etc/nginx/vhost.d
      - /srv/nginx-proxy-acme/html:/usr/share/nginx/html
      - /srv/nginx-proxy-acme/conf.d/static-upstreams.conf:/etc/nginx/conf.d/static-upstreams.conf:ro
      - /srv/nginx-proxy-acme/conf.d/block-exploits.conf:/etc/nginx/conf.d/block-exploits.conf:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      - TRUST_DOWNSTREAM_PROXY=false

  acme-companion:
    image: nginxproxy/acme-companion:2.4
    container_name: acme-companion
    restart: unless-stopped
    volumes_from:
      - nginx-proxy
    volumes:
      - /srv/nginx-proxy-acme/certs:/etc/nginx/certs:rw
      - /srv/nginx-proxy-acme/acme:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - DEFAULT_EMAIL=${LETSENCRYPT_EMAIL}
    depends_on:
      - nginx-proxy

  # Dummy container to trigger certificate issuance for static IP backends
  # This container does nothing but hold env vars for acme-companion to detect
  static-certs:
    image: alpine:3.19
    container_name: static-certs
    restart: unless-stopped
    command: ["sleep", "infinity"]
    environment:
      - VIRTUAL_HOST=portainer.kolpacksoftware.com,btt-cb1.kolpacksoftware.com,hats.kolpacksoftware.com,pve-nas.kolpacksoftware.com,unraid.kolpacksoftware.com
      - LETSENCRYPT_HOST=portainer.kolpacksoftware.com,btt-cb1.kolpacksoftware.com,hats.kolpacksoftware.com,pve-nas.kolpacksoftware.com,unraid.kolpacksoftware.com

networks:
  default:
    name: npm-network
    external: true