frontend-docker/base.yml

version: '3.7'

networks:
  frontend:
    driver: overlay
    attachable: true
  cache:
    driver: overlay

secrets:
  cf_op:
    file: certificates/cloudflare-op.crt
  ssl_master:
    file: certificates/master.pem

volumes:
  haproxysock:

x-logging: &json-log
  driver: 'json-file'
  options:
    max-size: 20m
    max-file: '5'

x-global-stop-2: &gt2
  mode: global
  restart_policy:
    condition: any
  update_config:
    parallelism: 2
    delay: 5s
    order: stop-first
    failure_action: rollback

services:
  haproxy:
    image: localhost:5000/haproxy-rx
    deploy: *gt2 ## HAProxy really dislikes if it's overlapped
    logging: *json-log
    secrets:
      - ssl_master
      - cf_op
    volumes:
      - 'haproxysock:/haproxy:rw' ## Telegraf monitoring
    networks:
      - frontend
      - cache

  varnish:
    image: localhost:5000/varnish
    deploy: *gt2
    logging: *json-log
    tmpfs: /usr/local/var/varnish
    networks:
      - cache

  hitch:
    image: zazukoians/hitch
    deploy: *gt2
    logging: *json-log
    secrets:
      - source: ssl_master
    environment:
      HITCH_PEM: '/run/secrets/ssl_master'
      HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
      HITCH_CIPHER: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
    ports:
      - '443:443'
    networks:
      - cache