services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.6.0-beta
    container_name: bunkerweb
    ports:
      - "80:8080"
      - "443:8443"
    environment:
      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
    restart: "unless-stopped"
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.6.0-beta
    container_name: bw-scheduler
    depends_on:
      - bunkerweb
    volumes:
      - bw-data:/data
    environment:
      BUNKERWEB_INSTANCES: "bunkerweb"
      SERVER_NAME: "www.example.com" # replace with your domain
      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
      AUTO_LETS_ENCRYPT: "yes"
      DISABLE_DEFAULT_SERVER: "yes"
      COOKIE_FLAGS: "* SameSite=Lax"
      ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE"
      SERVE_FILES: "no"
      USE_CLIENT_CACHE: "yes"
      USE_GZIP: "yes"
      USE_REVERSE_PROXY: "yes"
      REVERSE_PROXY_URL: "/"
      REVERSE_PROXY_HOST: "https://mypassbolt"
      # REVERSE_PROXY_HOST: "https://mypassbolt:8080" # For non-root passbolt image
      CUSTOM_CONF_MODSEC_CRS_passbolt: |
        SecRule REQUEST_FILENAME "@rx ^/locales" "id:1000000,ctl:ruleRemoveById=953100,nolog"
    restart: "unless-stopped"
    networks:
      - bw-universe

  # you will need to add a user by hand
  # example : docker compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
  # more info at https://github.com/passbolt/passbolt_docker
  mypassbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - mydb
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    environment:
      APP_FULL_BASE_URL: "https://www.example.com"
      DATASOURCES_DEFAULT_HOST: "mydb"
      DATASOURCES_DEFAULT_USERNAME: "user"
      DATASOURCES_DEFAULT_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MYSQL_PASSWORD)
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    command: [ "/usr/bin/wait-for.sh", "-t", "0", "mydb:3306", "--", "/docker-entrypoint.sh" ]
    networks:
      - passbolt-net
      - bw-services

  mydb:
    image: mariadb:10.11
    volumes:
      - db-data:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "user"
      MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
    networks:
      - passbolt-net

volumes:
  db-data:
  bw-data:
  gpg_volume:
  jwt_volume:


networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  passbolt-net:
    name: passbolt-net