# nginx-proxy — TLS reverse proxy (HTTPS + MQTT-TLS stream proxy)
# Stock nginx + certbot sidecar for Let's Encrypt automation.
# Networks: edge (port publisher) + app (proxy targets)
# Publishes: 80, 443, 8883 on the host

services:
  nginx:
    image: nginx:1.27-alpine
    restart: unless-stopped
    networks: [edge, app]
    ports:
      - "80:80"
      - "443:443"
      - "8883:8883"        # MQTT-TLS via stream{} block, SNI route to rabbitmq
    volumes:
      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./config/conf.d:/etc/nginx/conf.d:ro
      - ./config/stream.d:/etc/nginx/stream.d:ro
      - nginx-certs:/etc/letsencrypt:ro
      - nginx-acme-challenge:/var/www/certbot:ro
    depends_on:
      - certbot

  certbot:
    image: certbot/certbot:latest
    restart: unless-stopped
    volumes:
      - nginx-certs:/etc/letsencrypt
      - nginx-acme-challenge:/var/www/certbot
    entrypoint: /bin/sh -c
    command: >
      "trap exit TERM;
       while :; do
         certbot renew --webroot -w /var/www/certbot --quiet;
         sleep 12h & wait $${!};
       done"
    # Initial issuance is manual:
    #   docker compose run --rm certbot certonly \
    #     --webroot -w /var/www/certbot \
    #     --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \
    #     -d <host1> -d <host2> ...

networks:
  edge:
  app:

volumes:
  nginx-certs:
  nginx-acme-challenge: