services:
  certgen:
    image: alpine:3.20
    command: >
      sh -c '
        mkdir -p /certs;
        if [ ! -f /certs/selfsigned.pem ]; then
          openssl req -x509 -nodes -newkey rsa:2048 -days 825
            -subj "/CN=*.internal"
            -keyout /certs/selfsigned.key -out /certs/selfsigned.crt;
          cat /certs/selfsigned.key /certs/selfsigned.crt > /certs/selfsigned.pem;
        fi
      '
    volumes:
      - ./certs:/certs
    networks: [intranet]

  haproxy:
    image: haproxy:3.2
    depends_on: [certgen]
    command: >
      sh -c '
        for i in 1 2 3 4 5; do
          [ -f /certs/selfsigned.pem ] && break;
          sleep 1;
        done;
        haproxy -f /usr/local/etc/haproxy/haproxy.cfg
      '
    volumes:
      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
      - ./certs:/certs:ro
    ports:
      - "443:443"
      - "80:80"
    restart: unless-stopped
    networks: [intranet]

networks:
  intranet:
    external: true