########################### SECRETS
secrets:
  #cloudflare_email:
  #  file: ${SECRETSDIR}/cloudflare_email
  #cloudflare_api_key:
  #  file: ${SECRETSDIR}/cloudflare_api_key
  basic_auth_credentials:
    file: $DOCKERDIR/secrets/basic_auth_credentials
  cloudflare_api_token:
    file: ${SECRETSDIR}/cloudflare_dns_api_token
services:
  # Traefik 3 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
  # touch $DOCKERDIR/traefik2/traefik.log
  traefik:
    container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
    image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_TAG:-latest}
    restart: ${TRAEFIK_RESTART_POLICY:-always}
    security_opt:
      - no-new-privileges:true
    user: ${UID:-1000}:${GID:-1000}
    networks:
      proxy:
      socket_proxy:
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      #- target: 465
      #  published: 465
      #  protocol: tcp
      #  mode: host
      #- target: 587
      #  published: 587
      #  protocol: tcp
      #  mode: host
      #- 465:465
      #- 587:587
    #env_file:
    #- path: ./traefik.env
    #  required: true # default
    #- path: ./override.env
    #  required: false
    environment:
      #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
      - DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules. 
      - DOMAINNAME1
      - DOMAINNAME2
      - DOMAINNAME3
      - CF_API_EMAIL

    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false #true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.traefik.address=:8080
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --api=true
      - --api.dashboard=true
      # - --serversTransport.insecureSkipVerify=true
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=proxy
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
      - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
      - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
      - --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
      - --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
      - --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
      - --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
      - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
      - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
#      - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing

#      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
#      - --entrypoints.mailsecure.address=:465
#      - --entrypoints.maildefault.address=:587
#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
#      - --entryPoints.ping.address=:8081
#      - --api.insecure=true)
#      - --ping=true)
#      - --providers.redis=true
#      - --providers.redis.endpoints=redis:6379
#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
#    healthcheck:
#      test: ["CMD", "traefik", "healthcheck", "--ping"]
#      interval: 5s
#      retries: 3
    volumes:
      - /etc/localtime:/etc/localtime:ro
#      - ${DOCKERDIR}/traefik/traefik.yml:/traefik.yml:ro
      - ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
      - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
    secrets:
      #- cloudflare_email
      #- cloudflare_api_key
      - cloudflare_api_token
      - basic_auth_credentials
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.entrypoints: web
      traefik.http.routers.traefik.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
      traefik.http.middlewares.traefik-auth.basicauth.users: ${BASICAUTHUSER}
      traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: https
      traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: https
      traefik.http.routers.traefik.middlewares: traefik-https-redirect
      traefik.http.routers.traefik-secure.entrypoints: websecure
      traefik.http.routers.traefik-secure.rule: Host(`${PROXYNAME}.${DOMAINNAME1}`)
      traefik.http.routers.traefik-secure.middlewares: chain-no-auth@file
#      traefik.http.routers.traefik-secure.middlewares: traefik-auth
      traefik.http.routers.traefik-secure.service: api@internal