services:
  provision:
    deploy:
      placement:
        constraints:
          - node.role == manager
      mode: replicated-job
      replicas: 1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    - check the extent of provisioning and
    - provision basic certbot config and secrets
      - letsencrypt account key
      - 2 private SSL keys, an old and a new, the old is possibly never used
    - functionality to rotate both of these private keys
  certbot:
    depends_on:
      nginx:
        condition: service_healthy
    deploy:
      placement:
        constraints:
          - node.role == manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    secrets:
       - source: certbot_key
         target: /etc/certbot/priv.key
         uid: "0"
         gid: "0"
         mode: 0400
       - source: ssl_key_old
         target: /etc/certbot/ssl/old.key
         uid: "0"
         gid: "0"
         mode: 0400
       - source: ssl_key_new
         target: /etc/certbot/ssl/new.key
         uid: "0"
         gid: "0"
         mode: 0400
    - populate its own filesystem from live config 
      - all the SSL certs and corresponding renewal configs
    - detect missing certs and request them
      - maybe this can be also from a docker config, since the config is
      readable, it wouldn't require a restart of the container
    - then call certbot in a loop or something like that 
      - should point to new SSL key
    - post-install and post-renewal script should refresh
  nginx:
    image: nginx:stable-alpine
    depends_on:
      provision:
        condition: service_completed_successfully
    deploy:
      mode: replicated
      endpoint_mode: vip
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      rollback_config:
        order: start-first
      update_config:
        order: start-first
        failure_action: rollback
    configs:
       - source: nginx_plain_conf
         target: /etc/nginx/nginx.conf
         uid: "0"
         gid: "0"
         mode: 0444
  nginx_ssl:
    image: nginx:stable-alpine
    depends_on:
      certbot:
        condition: service_healthy
    deploy:
      mode: global
      endpoint_mode: dnsrr
      placement:
        constraints:
          - node.labels.org.sysdeploy.env == live
      rollback_config:
        parallelism: 2
        delay: 20s
        order: start-first
      update_config:
        parallelism: 2
        delay: 20s
        failure_action: rollback
        order: start-first
    configs:
       - source: nginx_ssl_conf
         target: /etc/nginx/nginx.conf
         uid: "0"
         gid: "0"
         mode: 0444
networks:
configs:
  nginx_plain_conf:
    external: true
    name: {{ NGINX_PLAIN_CONF }}
  nginx_ssl_conf:
    external: true
    name: {{ NGINX_SSL_CONF }}
secrets:
  certbot_key:
    external: true
    name: {{ CERTBOT_KEY }}
  ssl_key_old:
    external: true
    name: {{ SSL_KEY_OLD }}
  ssl_key_new:
    external: true
    name: {{ SSL_KEY_NEW }}