services:
  crowdsec:
    image: crowdsecurity/crowdsec:v1.6.8
    container_name: crowdsec
    security_opt:
      - no-new-privileges:true
    environment:
      GID: "${GID}"
      COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
    volumes:
      - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - /srv/docker/crowdsec/crowdsec-config:/etc/crowdsec/:ro
      - /srv/docker/crowdsec/crowdsec-config/online_api_credentials.yaml:/etc/crowdsec/online_api_credentials.yaml:rw
      - /srv/docker/crowdsec/crowdsec-config/local_api_credentials.yaml:/etc/crowdsec/local_api_credentials.yaml:rw
      - /srv/docker/crowdsec/crowdsec-db:/var/lib/crowdsec/data/
      - traefik_traefik-logs:/var/log/traefik/:ro
    labels:
      - "traefik.enable=false"
    networks:
      - traefik_network
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "cscli", "version"]
      interval: 10s
      timeout: 5s
      retries: 3

  bouncer-traefik:
    image: ghcr.io/crowdsecurity/traefik-bouncer:latest
    container_name: bouncer-traefik
    security_opt:
      - no-new-privileges:true
    environment:
      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_BOUNCER_API_KEY}
      CROWDSEC_AGENT_HOST: crowdsec:8080
    networks:
      - traefik_network
    depends_on:
      crowdsec:
        condition: service_healthy
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/api/v1/ping"]
      interval: 10s
      timeout: 5s
      retries: 3

networks:
  traefik_network:
    external: true

volumes:
  traefik_traefik-logs:
    external: true