services:
  traefik:
    image: traefik:${TRAEFIK_VERSION:-v3.6}
    container_name: ${TRAEFIK_NAME:-traefik}
    restart: unless-stopped

    command:
      # Provider
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.watch=true"


      # EntryPoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"

      # Let's Encrypt (ACME)
      - "--certificatesresolvers.le.acme.email=${TRAEFIK_ACME_EMAIL}"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"

      # Dashboard
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # Logging
      - "--log.level=${TRAEFIK_LOGLEVEL:-INFO}"

    ports:
      - "${TRAEFIK_HTTP_PORT:-80}:80"
      - "${TRAEFIK_HTTPS_PORT:-443}:443"

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${TRAEFIK_DATA_PATH:-/opt/traefik}/letsencrypt:/letsencrypt"

    networks:
      - proxy

    labels:
      - "traefik.enable=true"

      # Dashboard Router (HTTPS)
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"

      # Basic Auth Middleware
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_USER}:${TRAEFIK_AUTH_HASH}"

      # Apply Auth
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

networks:
  proxy:
    name: proxy
    driver: bridge