name: mosquitto

networks:
  traefik-net:
    external: true

services:
  mosquitto:
    image: eclipse-mosquitto
    hostname: mosquitto
    env_file: .mosquitto.env
    user: "${PUID}:${PGID}"
    networks:
      traefik-net:
        aliases: ["mqtt"]
    volumes:
      - "${DATADIR}/appdata:/mosquitto/data"
      - "${DATADIR}/config:/mosquitto/config"
      - "${DATADIR}/logs:/mosquitto/log"
      - "${DATADIR}/configinc:/mosquitto/configinc"  # maps the default folder for password.txt file
    restart: unless-stopped
    # ports 1883, 8883 and 9001
    # 9001 not implemented
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # tcp services
      # -------------
      - "traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
      #- "traefik.tcp.services.${APPLICATION_NAME}-secure-svc.loadbalancer.server.port=${SECURE_SERVICE_PORT}"
      #
      # tcp routers
      # ------------
      # limit router to mqtt ":1883" entrypoint
      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt"
      # set match criteria for router
      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)"
      # assign svc target to routers
      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      #
      # limit router to mqttsecure ":8883" entrypoint
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure"
      # set match criteria for router
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt.${DOMAINNAME}`)"
      # set router to be dedicated to secure requests only for the host specified in match criteria 
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      # passthrough tls
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true"
      # generate certificates using following certresolver
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      # assign svc target to routers
      #- "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-secure-svc"
      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"  # use same svc as non-secure router to avoid issues with certificates on mosquitto