---
services:
  traefik:
    image: traefik:${TRAEFIK_VERSION}
    restart: unless-stopped
    command:
      # when debugging is needed
      - --accesslog=${TRAEFIK_ACCESSLOG}
      # enable Træfik dashboard
      - --api.dashboard=true
      # configure Let's Encrypt automatic certificates
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
      # we listen on both HTTP and HTTPS
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      # logging level
      - --log.level=${TRAEFIK_LOGLEVEL}
      # we only use Docker (for now)
      - --providers.docker=true
      # and we want to manually specify exposed containers
      - --providers.docker.exposedbydefault=false
      - --providers.docker.watch=true
      # should not need, but just in case, a folder for dynamic config files is also configured
      - --providers.file.directory=/config
      - --providers.file.watch=true
    env_file:
      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
    labels:
      # expose Træfik using Træfik (dashboard)
      - traefik.enable=${TRAEFIK_ENABLED}
      - traefik.docker.network=${TRAEFIK_NETWORK}
      # configure a global whitelist for accessing the Træfik dashboard
      - traefik.http.middlewares.dashboard-whitelist.ipallowlist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
      # configure a global middleware for redirecting HTTP to HTTPS
      - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
      - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
      # configure a global middleware to harden security through HSTS
      - traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
      - traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
      - traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
      ### Section HTTP
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
      # redirect Træfik dashboard to HTTPS only
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTP_MIDDLEWARES}
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
      ### Section HTTPS
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
      # configure Træfik dashboard to be the exposed service
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTPS_MIDDLEWARES}
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
      # of course, enable TLS and it's certificate provider
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${TRAEFIK_DYNAMIC}:/config:ro
      - ${TRAEFIK_CERTFILE}:/certs.json

networks:
  traefik:
    external: true
    name: ${TRAEFIK_NETWORK}