version: '3'

services:
  nginx-terminate:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx-terminate/nginx.conf:/etc/nginx/nginx.conf:ro,Z
      - ./data/certbot/conf:/etc/letsencrypt:ro,z
      - ./data/certbot/www:/var/www/certbot:ro,z
    ports:
      - "443:443"
      - "80:80"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - NET_BIND_SERVICE
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /usr/sbin/nginx -s reload; done & /usr/sbin/nginx -c /etc/nginx/nginx.conf -g \"daemon off;\"'"
  nginx-relay:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:ro,Z
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /usr/sbin/nginx -s reload; done & /usr/sbin/nginx -c /etc/nginx/nginx.conf -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt:z
      - ./data/certbot/www:/var/www/certbot:z
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    security_opt:
      - no-new-privileges:true