version: "{{ compose_version }}"

services:
  api:
    image: registry.kadet.net/management/api-server:{{ api_server_version }}
    command: ['--proxy-headers']
    extra_hosts:
      - manager.swarm.local:{{ swarm_host_address }}
    networks:
      - default
      - "{{ ingress_network }}"
    environment:
      - API_INVENTORY=inventory/swarm.ini
      - ANSIBLE_VAULT_PASSWORD_FILE=/var/run/secrets/vault-password
    volumes:
      - ./project:/var/project
      - private-dir:/var/run/ansible
    secrets:
      - source: id-rsa
        target: /home/api-server/.ssh/id_rsa
      - source: users_{{ users_config.checksum }}
        target: /etc/api-server/users.yaml
      - source: vault-password_{{ vault_password.checksum[:12] }}
        target: /var/run/secrets/vault-password
    configs:
      - source: id-rsa-pub
        target: /home/api-server/.ssh/id_rsa.pub
      - source: inventory_{{ inventory_config.checksum }}
        target: /var/project/inventory/swarm.ini
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.{{ service }}.rule=Host(`mgmt.{{ main_domain }}`)
        - traefik.http.routers.{{ service }}.tls=true
        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
        - traefik.http.services.{{ service }}.loadbalancer.server.port=8080
      placement:
        constraints:
          - node.role == manager

volumes:
  private-dir: ~

configs:
  id-rsa-pub:
    file: ./ssh/id_rsa.pub
  inventory_{{ inventory_config.checksum }}:
    file: ./config/inventory.ini

secrets:
  id-rsa:
    file: ./ssh/id_rsa
  users_{{ users_config.checksum }}:
    file: ./config/users.yaml
  vault-password_{{ vault_password.checksum[:12] }}:
    file: ./config/vault-password