services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.6.0-rc1
    container_name: bunkerweb
    # dropping all capabilities
    cap_drop:
      - ALL
    # disable setuid/setgid
    security_opt:
      - no-new-privileges
    # read-only file system
    read_only: true
    # folders that need write access
    tmpfs:
      - /tmp:mode=0770,uid=0,gid=101
      - /var/tmp/bunkerweb:mode=0770,uid=0,gid=101
      - /var/run/bunkerweb:mode=0770,uid=0,gid=101
      - /var/cache/bunkerweb:mode=0770,uid=0,gid=101
      - /var/lib/bunkerweb:mode=0770,uid=0,gid=101
      - /var/www/html:mode=0770,uid=0,gid=101
      - /etc/bunkerweb:mode=0770,uid=0,gid=101
      - /etc/bunkerweb/configs:mode=0770,uid=0,gid=101
      - /etc/nginx:mode=0770,uid=0,gid=101
    ports:
      - "80:8080/tcp"
      - "443:8443/tcp"
      - "443:8443/udp" # for QUIC
    environment:
      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
    restart: "unless-stopped"
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.6.0-rc1
    container_name: bw-scheduler
    depends_on:
      - bunkerweb
    volumes:
      - bw-data:/data
    environment:
      BUNKERWEB_INSTANCES: "bunkerweb"
      SERVER_NAME: "www.example.com" # replace with your domain
      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
      AUTO_LETS_ENCRYPT: "yes"
      DISABLE_DEFAULT_SERVER: "yes"
      USE_CLIENT_CACHE: "yes"
      USE_GZIP: "yes"
      USE_REVERSE_PROXY: "yes"
      REVERSE_PROXY_URL: "/"
      REVERSE_PROXY_HOST: "http://myapp:8080"
      REMOTE_PHP_PATH: "/app"
    restart: "unless-stopped"
    networks:
      - bw-universe

  myapp:
    image: nginxdemos/nginx-hello
    networks:
      - bw-services

volumes:
  bw-data:


networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services