version: '3'

services:
  nginx-terminate:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx-terminate/nginx.conf:/etc/nginx/nginx.conf:Z
      - ./data/certbot/conf:/etc/letsencrypt:Z
      - ./data/certbot/www:/var/www/certbot:Z
    read_only: true
    ports:
      - "443:443"
      - "80:80"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CAP_NET_BIND_SERVICE
      - CHOWN
    tmpfs:
      - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
  nginx-relay:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    tmpfs:
      - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt:Z
      - ./data/certbot/www:/var/www/certbot:Z
    ports:
      - "80:80"
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CAP_NET_BIND_SERVICE