###############################################################
# Project Name
# 
# https://docs.docker.com/compose/compose-file/05-services/#security_opt
# https://docs.docker.com/compose/environment-variables/set-environment-variables/
# 
###############################################################
name: traefik
services:
# ------------------------------  
# -- Traefik 3
# -- Updated 2024-June-04
# ------------------------------
  traefik:
    image: traefik:3.0.4
    container_name: traefik
    restart: unless-stopped
    user: ${PUID}:${PGID}
    security_opt:
      - no-new-privileges=true
    depends_on:
      - socket-proxy  # Comment out if not using socket-proxy
    networks:
    # This is ONLY defined this way so that Homepage can reach this container via DNS name due to StrictSNI.
    # Meaning this container INTERNAL TO DOCKER is only traefik, by adding the alias it is now
    # traefik AND traefik.domain.tld WITHOUT reaching to a DNS server
    # Allows containers to reach each other internally without asking out
      traefik:
          aliases:
            - traefik.${DOMAINNAME}
          #ipv4_address: 10.255.224.2
      socket_proxy:
        #ipv4_address: 172.16.224.2
    command:
      - "--configFile=/config/traefik.yaml"
    ports:
      # - "80:80"           # SHORT Syntax of below verbose definition
      - name: web
        host_ip: 0.0.0.0    # All interfaces, not a specific one
        target: 80          # Container Port
        published: "80"     # STRING
        protocol: tcp       # tcp or udp
        app_protocol: http  # OPTIONAL. Layer 7 Protocol used.  "Richer behavior"
        mode: host          # or Ingress for load balancing
      - name: websecure
        host_ip: 0.0.0.0
        target: 443
        published: "443"
        protocol: tcp
        app_protocol: https
        mode: host
    secrets:
      - cf_dns_api_token
    environment:
      - TZ=${TZ}
      - DOMAINNAME
      ## Docker Secrets
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
    volumes:
      - "$DOCKERDIR/appdata/traefik/config:/config" # traefik.yaml
      - "$DOCKERDIR/appdata/traefik/data:/data"     # acme.json defined in traefik.yaml
      - "$DOCKERDIR/appdata/traefik/rules:/rules"   # Dynamic File Provider directory
      - "$DOCKERDIR/logs/traefik:/logs"
      ## When using Docker Socket Proxy, comment out the below direct socket access
      ## Ensure traefik.yaml matches chosen method
      # - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DOMAINNAME}`) || Host(`traefik.traefik`)"
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"  # Defined in traefik.yaml
      #### Migrate individual service cert resolver to global resolution in traefik.yaml
      #- "traefik.http.routers.traefik-rtr.tls=true"
      #- "traefik.http.routers.traefik-rtr.tls.certresolver=le"
      #- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      #- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"