frostlabs/core/stack.yml

services:
  traefik:
    image: traefik:v3.6.1
    ports:
    - 80:80
    - 443:443
    - 8082:8080
    environment:
    - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - ./static.yml:/etc/traefik/traefik.yml:ro
    - ./dynamic.yml:/etc/traefik/dynamic/dynamic.yml:ro
    - /home/doc/projects/swarm-data/traefik/certificates:/certificates
    - /home/doc/projects/swarm-data/traefik/logs:/var/log/traefik
    secrets:
    - cloudflare_api_token
    networks:
    - frostlabs
    healthcheck:
      test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/ping" ]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
        - node.labels.task == control

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    environment:
    # Disable online API enrollment (use for local setup)
    - DISABLE_ONLINE_API=false
    # Set collections to install
    - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve
    # Enable Prometheus metrics
    - METRICS_PORT=6060
    volumes:
    # Persistent CrowdSec configuration and data
    - /home/doc/projects/swarm-data/crowdsec/config:/etc/crowdsec
    - /home/doc/projects/swarm-data/crowdsec/data:/var/lib/crowdsec/data
    # Traefik access logs (read-only)
    - /home/doc/projects/swarm-data/traefik/logs:/var/log/traefik:ro
    # Acquis configuration
    - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
    networks:
    - frostlabs
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
        - node.labels.task == control
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
    healthcheck:
      test: [ "CMD", "cscli", "version" ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

  portainer:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    volumes:
    - /home/doc/projects/swarm-data/portainer:/data
    networks:
    - frostlabs
    ports:
    - 9000:9000
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
        - node.labels.task == control
      labels:
      - "traefik.enable=true"
      - "traefik.swarm.network=frostlabs"
      - "traefik.http.routers.portainer.rule=Host(`portainer.frostlabs.me`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.http.routers.portainer.tls.certresolver=cloudflare"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"

  agent:
    image: portainer/agent:latest
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
    - frostlabs
    deploy:
      mode: global

networks:
  frostlabs:
    external: true

secrets:
  cloudflare_api_token:
    external: true