version: "3"

services:
  mybunker:
    image: bunkerity/bunkerweb:1.5.0
    # dropping all capabilities
    cap_drop:
      - ALL
    # disable setuid/setgid
    security_opt:
      - no-new-privileges
    # read-only file system
    read_only: true
    # folders that need write access
    tmpfs:
      - /tmp:mode=0770,uid=0,gid=101
      - /var/tmp/bunkerweb:mode=0770,uid=0,gid=101
      - /var/cache/bunkerweb:mode=0770,uid=0,gid=101
      - /etc/nginx:mode=0770,uid=0,gid=101
    ports:
      - 80:8080
      - 443:8443
    environment:
      - SERVER_NAME=www.example.com # replace with your domain
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - AUTO_LETS_ENCRYPT=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp
      - REMOTE_PHP_PATH=/app
    labels:
      - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.0
    depends_on:
      - mybunker
    environment:
      - DOCKER_HOST=tcp://bw-docker-proxy:2375
    volumes:
      - bw-data:/data
    networks:
      - bw-universe
      - bw-docker

  bw-docker-proxy:
    image: tecnativa/docker-socket-proxy:0.1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
    networks:
      - bw-docker

  myapp:
    image: tutum/hello-world
    networks:
      - bw-services

volumes:
  bw-data:

networks:
  bw-universe:
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
  bw-docker: