dimastbk/docker-compose.base.yml

## docker-compose.base.yml
version: "3.8"

services:
  traefik:
    image: traefik:v2.4.9
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    command:
      - --log.level=INFO
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=web
      - --entrypoints.web.address=:80
      - --entryPoints.web.forwardedHeaders.insecure=true  # for forward X-Forward-For, this is insecure!
      - --entrypoints.web-secured.address=:443
      - --certificatesresolvers.mytlschallenge.acme.httpChallenge.entrypoint=web
      - --certificatesresolvers.mytlschallenge.acme.email=mail@example.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - web

  portainer:
    image: portainer/portainer-ce:2.6.3
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    environment:
      AGENT_SECRET: ...
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.portainer.loadbalancer.server.port=9000"
        - "traefik.http.routers.portainer.middlewares=redirect-to-https"
        - "traefik.http.routers.portainer.rule=Host(`portainer.example.com`)"
        - "traefik.http.routers.portainer.entrypoints=web"
        - "traefik.http.routers.portainer-secured.rule=Host(`portainer.example.com`)"
        - "traefik.http.routers.portainer-secured.entrypoints=web-secured"
        - "traefik.http.routers.portainer-secured.tls.certresolver=mytlschallenge"
        - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
      - web

  portainer_agent:
    image: portainer/agent:2.6.3
    environment:
      AGENT_SECRET: ...
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network

volumes:
  letsencrypt:
  portainer_data:

networks:
  web:
    driver: overlay
    attachable: true
    name: web
  agent_network:
    driver: overlay
    attachable: true

## docker-compose.yml
version: "3.8"

services:
  app_wsgi:
    image: app:develop
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
      update_config:
        failure_action: rollback
        order: start-first
    healthcheck:
      test: ["CMD", "healthcheck.py"]
      interval: 5s
      timeout: 10s
      retries: 3
      start_period: 120s
    command: start_uwsgi
    volumes:
      - "/static:/static"
      - "/uploads:/uploads"
    env_file: .env.deploy

  nginx:
    image: nginx:develop
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
      update_config:
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.lbswarm=true"  # for rolling update
        - "traefik.http.routers.core.rule=Host(`example.com`, `www.example.com`)"
        - "traefik.http.routers.core.entrypoints=web"
        - "traefik.http.services.core.loadbalancer.server.port=80"
    healthcheck:
      test: ["CMD-SHELL", "curl -so /dev/null http://localhost/ || exit 1"]
      interval: 5s
      timeout: 10s
      retries: 3
      start_period: 30s
    volumes:
      - "/static:/static"
      - "/uploads:/uploads"
    networks:
      - default
      - web

networks:
  web:
    external: true
	version: "3.8"

	services:
	traefik:
	image: traefik:v2.4.9
	deploy:
	replicas: 1
	placement:
	constraints: [node.role == manager]
	ports:
	- target: 80
	published: 80
	mode: host
	- target: 443
	published: 443
	mode: host
	command:
	- --log.level=INFO
	- --providers.docker=true
	- --providers.docker.swarmMode=true
	- --providers.docker.exposedbydefault=false
	- --providers.docker.network=web
	- --entrypoints.web.address=:80
	- --entryPoints.web.forwardedHeaders.insecure=true # for forward X-Forward-For, this is insecure!
	- --entrypoints.web-secured.address=:443
	- --certificatesresolvers.mytlschallenge.acme.httpChallenge.entrypoint=web
	- --certificatesresolvers.mytlschallenge.acme.email=mail@example.com
	- --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
	volumes:
	- letsencrypt:/letsencrypt
	- /var/run/docker.sock:/var/run/docker.sock
	networks:
	- web

	portainer:
	image: portainer/portainer-ce:2.6.3
	command: -H tcp://tasks.agent:9001 --tlsskipverify
	environment:
	AGENT_SECRET: ...
	deploy:
	replicas: 1
	placement:
	constraints: [node.role == manager]
	labels:
	- "traefik.enable=true"
	- "traefik.http.services.portainer.loadbalancer.server.port=9000"
	- "traefik.http.routers.portainer.middlewares=redirect-to-https"
	- "traefik.http.routers.portainer.rule=Host(`portainer.example.com`)"
	- "traefik.http.routers.portainer.entrypoints=web"
	- "traefik.http.routers.portainer-secured.rule=Host(`portainer.example.com`)"
	- "traefik.http.routers.portainer-secured.entrypoints=web-secured"
	- "traefik.http.routers.portainer-secured.tls.certresolver=mytlschallenge"
	- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
	volumes:
	- portainer_data:/data
	networks:
	- agent_network
	- web

	portainer_agent:
	image: portainer/agent:2.6.3
	environment:
	AGENT_SECRET: ...
	deploy:
	mode: global
	placement:
	constraints: [node.platform.os == linux]
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	- /var/lib/docker/volumes:/var/lib/docker/volumes
	networks:
	- agent_network

	volumes:
	letsencrypt:
	portainer_data:

	networks:
	web:
	driver: overlay
	attachable: true
	name: web
	agent_network:
	driver: overlay
	attachable: true
	version: "3.8"

	services:
	app_wsgi:
	image: app:develop
	deploy:
	replicas: 1
	placement:
	constraints: [node.role == manager]
	update_config:
	failure_action: rollback
	order: start-first
	healthcheck:
	test: ["CMD", "healthcheck.py"]
	interval: 5s
	timeout: 10s
	retries: 3
	start_period: 120s
	command: start_uwsgi
	volumes:
	- "/static:/static"
	- "/uploads:/uploads"
	env_file: .env.deploy

	nginx:
	image: nginx:develop
	deploy:
	replicas: 1
	placement:
	constraints: [node.role == manager]
	update_config:
	order: start-first
	labels:
	- "traefik.enable=true"
	- "traefik.docker.lbswarm=true" # for rolling update
	- "traefik.http.routers.core.rule=Host(`example.com`, `www.example.com`)"
	- "traefik.http.routers.core.entrypoints=web"
	- "traefik.http.services.core.loadbalancer.server.port=80"
	healthcheck:
	test: ["CMD-SHELL", "curl -so /dev/null http://localhost/ \|\| exit 1"]
	interval: 5s
	timeout: 10s
	retries: 3
	start_period: 30s
	volumes:
	- "/static:/static"
	- "/uploads:/uploads"
	networks:
	- default
	- web

	networks:
	web:
	external: true