version: "3.8"

networks:
  proxy:
    external: true
  proxy_infra:
    external: true
  proxy_home:
    external: true

services:
  traefik:
    image: "traefik:v2.4.8"
    restart: always
    command:
      #- "--log.level=DEBUG"
      - "--global.sendanonymoususage=false"
      - "--pilot.dashboard=false"
      - "--api.dashboard=true"
      #- "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy"
      - "--providers.file.directory=/conf/files/"
      #- "--serverstransport.rootcas=/conf/certs/rootca.crt"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web-secure.address=:443"
      - "--entrypoints.ssh-git.address=:2201"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=${CERT_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/conf/acme/letsencrypt.json"
    ports:
      - "80:80"
      - "443:443"
      - "2201:2201"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./conf/:/conf/:ro"
      - "./conf/acme/:/conf/acme/:rw"
    networks:
      - proxy
      - proxy_infra
      - proxy_home
      - default
    # Dynamic Configuration
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_infra"
 
      # MIDDLEWARES
      # Priority goes from first in the list to last.
      - "traefik.http.middlewares.traefik.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"

      # Traefik Dashboard
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.routers.traefik.rule=Host(`${FQDN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=traefik,net-home@file,auth-traefik@file"