services:
  traefik:
    image: traefik:latest
    container_name: ${TRAEFIK_NAME:-traefik}
    restart: unless-stopped

    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"

      # EntryPoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"

      # Let's Encrypt
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.le.acme.email=${TRAEFIK_ACME_EMAIL:-admin@example.com}"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"

      # Dashboard
      - "--api.dashboard=true"
      - "--api.insecure=false"

    ports:
      - "${TRAEFIK_HTTP_PORT:-80}:80"
      - "${TRAEFIK_HTTPS_PORT:-443}:443"
      - "${TRAEFIK_DASHBOARD_PORT:-8080}:8080"

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${TRAEFIK_DATA_PATH:-/opt/traefik}/letsencrypt:/letsencrypt"

    networks:
      - proxy

    labels:
      - "traefik.enable=true"

      # Dashboard Router
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_HOST:-traefik.local}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=le"

      # Basic Auth Middleware
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_USER:-admin}:${TRAEFIK_AUTH_HASH:-$$apr1$$xyz123}"

      # Dashboard secured with Basic Auth
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

networks:
  proxy:
    name: proxy
    driver: bridge