---
services:
  traefik:
    image: traefik:${TRAEFIK_VERSION}
    container_name: ${TRAEFIK_CONTAINER_NAME}
    restart: unless-stopped
    command:
      # when debugging is needed
      - --accesslog=${TRAEFIK_ACCESSLOG}
      # enable Træfik dashboard
      - --api.dashboard=true
      # configure Let's Encrypt automatic certificates
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
      # we listen on both HTTP and HTTPS
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      # logging level
      - --log.level=${TRAEFIK_LOGLEVEL}
      # Træfik Pilot token (of course retrieved from dotenv)
      - --pilot.token=${TRAEFIK_PILOT_TOKEN}
      # we only use Docker (for now)
      - --providers.docker=true
      # and we want to manually specify exposed containers
      - --providers.docker.exposedbydefault=false
      - --providers.docker.watch=true
      # should not need, but just in case, a folder for dynamic config files is also configured
      - --providers.file.directory=/config
      - --providers.file.watch=true
    env_file:
      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
    labels:
      # expose Træfik using Træfik (dashboard)
      - traefik.enable=${TRAEFIK_ENABLED}
      # configure a global whitelist for my home
      - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
      # configure the global redirect middleware
      - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
      - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
      ### Section HTTP
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
      # only some people can access the dashboard, hence protect it with it's whitelist
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
      # redirect Træfik dashboard to HTTPS only
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
      ### Section HTTPS
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
      # only some people can access the dashboard, hence protect it with it's whitelist
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
      # configure Træfik dashboard to be the exposed service
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
      # of course, enable TLS and it's certificate provider
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config:/config:ro
      - ./certs.json:/certs.json

networks:
  traefik:
    external: true
    name: ${TRAEFIK_NETWORK}