version: "3.9"

services:
  certgen:
    image: alpine:3.20
    command: >
      sh -euc '
        mkdir -p /certs;
        apk add --no-cache openssl;
        gen() {
          openssl req -x509 -nodes -newkey rsa:2048 -days 825 \
            -subj "/CN=*.internal" \
            -addext "subjectAltName=DNS:*.internal,DNS:hosts.internal,DNS:routerosbackup.internal,DNS:routerosupdate.internal,DNS:sslmonitor.internal" \
            -keyout /certs/selfsigned.key -out /certs/selfsigned.crt;
          cat /certs/selfsigned.crt /certs/selfsigned.key > /certs/selfsigned.pem;  # CERT -> KEY
        }
        # jeśli brak lub nieprawidłowy PEM to wygeneruj
        if ! [ -f /certs/selfsigned.pem ] || ! openssl x509 -in /certs/selfsigned.pem -noout >/dev/null 2>&1; then
          gen
        fi
      '
    volumes:
      - ./certs:/certs
    networks: [intranet]

  haproxy:
    image: haproxy:3.2
    depends_on: [certgen]
    command: >
      sh -euc '
        for i in $(seq 1 15); do
          [ -f /certs/selfsigned.pem ] && break
          sleep 1
        done
        exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg
      '
    volumes:
      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
      - ./certs:/certs:ro
    ports:
      - "443:443"
      - "80:80"
    restart: unless-stopped
    networks: [intranet]

networks:
  intranet:
    external: true