# docker-compose.yml
services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - "ACME_DNS_API_BASE=https://acme.frodo.dfas4.de"
      - "ACME_DNS_STORAGE_PATH=/etc/traefik/acmedns.json"
    command:
      # EntryPoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"

      # Attach the static configuration tls.yaml file that contains the tls configuration settings
#      - "--providers.file.filename=/dynamic/tls.yaml"

      # Providers 
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy"

      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=acmedns"
      # API & Dashboard 
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # Observability 
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--metrics.prometheus=true"
    # Traefik Dynamic configuration via Docker labels
    labels:
      # Enable self‑routing
      - "traefik.enable=true"

      # Dashboard router
      - "traefik.http.routers.dashboard.rule=Host(`dashboard.gandalf.dfas4.de`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
      # Basic‑auth middleware
      - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$XeLtTjGP$$lGii1xpCSV/Zwj6.POmum/"
      - "traefik.http.routers.dashboard.middlewares=dashboard-auth@docker"
      - "traefik.http.routers.dashboard.tls.domains[0].main=gandalf.dfas4.de"
      - "traefik.http.routers.dashboard.tls.domains[0].sans=*.gandalf.dfas4.de"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/acmedns.json:/etc/traefik/acmedns.json
    networks:
      - proxy

networks:
  proxy:
    name: proxy