services:
  traefik:
    container_name: traefik
    image: docker.io/library/traefik:v3.5.0
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    secrets:
      - cf_api_token
    command:
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik/traefik.log
      - --accesslog=true
      - --accesslog.format=json
      - --accesslog.filepath=/var/log/traefik/access.log
      - --api.dashboard=false
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=frontend
      # Set up LetsEncrypt certificate resolver
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20
      - --certificatesresolvers.letsencrypt.acme.email=${CF_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      # staging environment of LE, remove for real certs
      # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}
      - --entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}
    environment:
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
    volumes:
      - ${APPDATA_PATH}/traefik/letsencrypt/acme.json:/acme.json
      - ${APPDATA_PATH}/traefik/logs:/var/log/traefik
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    networks:
      - frontend

networks:
  frontend:
    external: true

secrets:
  cf_api_token:
    file: ${APPDATA_PATH}/traefik/secrets/cf_api_token