version: "3"

services:
  mybunker:
    image: bunkerity/bunkerweb:1.5.2
    ports:
      - 80:8080
      - 443:8443
    environment:
      - SERVER_NAME=www.example.com # replace with your domain
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - AUTO_LETS_ENCRYPT=yes
      - DISABLE_DEFAULT_SERVER=yes
      - COOKIE_FLAGS=* SameSite=Lax
      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
      - SERVE_FILES=no
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=https://mypassbolt
    labels:
      - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.2
    depends_on:
      - mybunker
    environment:
      - DOCKER_HOST=tcp://bw-docker-proxy:2375
    volumes:
      - bw-data:/data
    networks:
      - bw-universe
      - bw-docker

  bw-docker-proxy:
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

  # you will need to add a user by hand
  # example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
  # more info at https://github.com/passbolt/passbolt_docker
  mypassbolt:
    image: passbolt/passbolt:3.8.3-1-ce
    #Alternatively you can use rootless:
    # image: passbolt/passbolt:3.8.3-1-ce-non-root
    depends_on:
      - mydb
    environment:
      - APP_FULL_BASE_URL=https://www.example.com # replace with your URL
      - DATASOURCES_DEFAULT_HOST=mydb
      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
      - DATASOURCES_DEFAULT_USERNAME=user
      - DATASOURCES_DEFAULT_DATABASE=passbolt
    volumes:
      - gpg-data:/etc/passbolt/gpg
      - jwt-data:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "mydb:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    networks:
      - bw-services

  mydb:
    image: mariadb
    volumes:
      - db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
    networks:
      - bw-services

volumes:
  gpg-data:
  jwt-data:
  db-data:
  bw-data:

networks:
  bw-universe:
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
  bw-docker: