---
version: '2.4'

services:
  reverse-proxy:
    build: ./traefik/
    command:
      - --ping=true
      - --ping.entrypoint=ping
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=${PROJECT_ID:-default}_jenkins
      - --providers.file.directory=/traefik.conf.d/
      - --entryPoints.web.address=:${EXTERNAL_HTTP_PORT}
      - --entryPoints.websecure.address=:${EXTERNAL_HTTPS_PORT}
      - --entryPoints.jnlp.address=:${EXTERNAL_JNLP_PORT}
      - --entryPoints.ping.address=:8888
      - --certificatesResolvers.letsencrypt.acme.email=${JENKINS_ADMIN_EMAIL}
      - --certificatesResolvers.letsencrypt.acme.storage=${ACME_DATA_PATH}/acme.json
      - --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
      - --certificatesResolvers.letsencrypt.acme.caServer=${ACME_CASERVER}
      - --accesslog=true
    restart: unless-stopped
    labels:
      - traefik.enable=true
      ## Redirect any HTTP request to its HTTPS version
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.redirs.entrypoints=web
      - traefik.http.routers.redirs.middlewares=redirect-to-https
    read_only: true
    cpus: "${TRAEFIK_MAX_CPUS}"
    mem_limit: "${TRAEFIK_MAX_MEMORY}"
    ports:
      - "${EXTERNAL_HTTP_PORT}:${EXTERNAL_HTTP_PORT}"
      - "${EXTERNAL_HTTPS_PORT}:${EXTERNAL_HTTPS_PORT}"
      - "${EXTERNAL_JNLP_PORT}:${EXTERNAL_JNLP_PORT}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - "acme-data:${ACME_DATA_PATH}:rw"
    healthcheck:
      test: ["CMD", "wget", "http://127.0.0.1:8888/ping", "--spider"]
      interval: 2s
      timeout: 5s
      retries: 30
      start_period: 5s
    networks:
      jenkins:

  jenkins:
    build: "${SERVICES_JENKINS_DIR}/jenkins/"
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.jenkins.rule=${TRAEFIK_ROUTER_RULE_FOR_JENKINS}
      - traefik.http.routers.jenkins.tls=true
      - traefik.http.routers.jenkins.tls.certresolver=letsencrypt
      - traefik.http.routers.jenkins.entrypoints=websecure
      - traefik.http.services.jenkins.LoadBalancer.server.Port=${JENKINS_INTERNAL_HTTP_PORT}
      - traefik.tcp.routers.jenkins-jnlp.rule=HostSNI(`*`)
      - traefik.tcp.routers.jenkins-jnlp.entrypoints=jnlp
      - traefik.tcp.services.jenkins-jnlp.LoadBalancer.server.Port=${JENKINS_INTERNAL_JNLP_PORT}
    read_only: true
    volumes:
      - jenkins-data:/var/jenkins_home
      # Mounting in /run/secrets allow JCasC to retrieve secrets file content as variables
      - "${SECRETS_DIR}:/run/secrets:ro"
    tmpfs:
      - /var/jenkins_home/war:mode=770,uid=1000,gid=1000 # Expecting there is enough RAM
      - /var/jenkins_home/plugins:mode=770,uid=1000,gid=1000 # Expecting there is enough RAM
      - /run
      - /var/run
      - /tmp:exec
    cpus: "${JENKINS_MAX_CPUS}"
    mem_limit: "${JENKINS_MAX_MEMORY}"
    environment:
      - JENKINS_INTERNAL_HTTP_PORT
      - JENKINS_INTERNAL_JNLP_PORT
      - JENKINS_ADMIN_EMAIL
      - JENKINS_ROOT_URL=https://${JENKINS_LOCAL_HOSTNAME}
      - GH_ORG_ID
      # DEFAULT_ADMINS_GITHUB_HANDLES defines the "production" and default value. ADDITIONAL_ADMINS_GITHUB_HANDLES is used to inject a custom set of users for testing framework
      - JENKINS_ADMINS_GITHUB_HANDLES=${DEFAULT_ADMINS_GITHUB_HANDLES}${ADDITIONAL_ADMINS_GITHUB_HANDLES}
    healthcheck:
      test: ["CMD", "curl", "--silent", "--location", "--show-error", "--fail", "http://127.0.0.1:${JENKINS_INTERNAL_HTTP_PORT}/login"]
      interval: 5s
      timeout: 1s
      retries: 60
      start_period: 1s
    networks:
      jenkins:

volumes:
  jenkins-data:
  acme-data:

networks:
  jenkins:
...