version: "2.5"
services:
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config:/etc/crowdsec
      - ./data:/var/lib/crowdsec/data
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    security_opt:
      - no-new-privileges=true
    networks:
      crowdsec:
        ipv4_address: 172.31.0.2
    hostname: crowdsec

  bouncer-traefik:
    container_name: crowdsec-bouncer-traefik
    image: fbonalair/traefik-crowdsec-bouncer:latest
    environment:
      CROWDSEC_BOUNCER_API_KEY: ${TRAEFIK_BOUNCER_KEY}
      CROWDSEC_AGENT_HOST: crowdsec:8080 # Hier könnte nun auch bei Bedarf die statische IP 172.31.0.2:8080 verwendet werden 
    restart: unless-stopped
    depends_on:
      - crowdsec
    networks:
      crowdsec:
        ipv4_address: 172.31.0.3
    hostname: crowdsec-bouncer-traefik
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

networks:
  crowdsec:
    name: crowdsec
    driver: bridge
    ipam:
      config:
      - subnet: 172.31.0.0/24
        gateway: 172.31.0.1