---
# https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
# https://stackoverflow.com/questions/58584625/how-do-i-reference-a-self-signed-ssl-certificates-for-traefik-v2-in-a-docker-com

version: '3.9'

networks:
    proxy:
        external: true

secrets:
    cloudflare_account_email_address:
        file: /srv/secrets/traefik/email
    cloudflare_dns_api_token:
        file: /srv/secrets/traefik/token

services:
    reverse-proxy:
        container_name: traefik
        image: traefik:2.8
        restart: unless-stopped
        ports:
            - 80:80
            - 443:443
        networks:
            # Use the public network created to be shared between Traefik and
            # any other service that needs to be publicly available with HTTPS
            - proxy
        secrets:
            - cloudflare_account_email_address
            - cloudflare_dns_api_token
        command:
            - --providers.docker # Enable Docker in Traefik, so that it reads labels from Docker services
            - --providers.docker.exposedbydefault=false # Do not expose all Docker services, only the ones explicitly exposed
            - --providers.docker.network=proxy # Adds default network
            #- --log.level=INFO
            - --api.dashboard=true
            # - --accesslog # Enable Access log
            # - --ping=true # Enable /ping healthcheck route
              # Set up LetsEncrypt
            - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
            - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
            - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
              # Set up an insecure listener that redirects all traffic to TLS
            - --entrypoints.web.address=:80
            - --entrypoints.web.http.redirections.entrypoint.to=websecure # Redirect all http to https
            - --entrypoints.web.http.redirections.entrypoint.scheme=https
              # Set up the TLS configuration for our websecure listener
            - --entrypoints.websecure.address=:443
            - --entrypoints.websecure.http.tls=true
            - --entrypoints.websecure.http.tls.certResolver=letsencrypt
            - --entrypoints.websecure.http.tls.domains[0].main=golem.linux.it
            - --entrypoints.websecure.http.tls.domains[0].sans=*.golem.linux.it
              # SSH
            # - --entrypoints.ssh.address=:22 # host system must use another port!
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro # Add Docker as a mounted volume, so that Traefik can read the labels of other services
            - /srv/volumes/letsencrypt:/letsencrypt
        environment:
            CLOUDFLARE_EMAIL_FILE: /run/secrets/cloudflare_account_email_address
            CLOUDFLARE_DNS_API_TOKEN_FILE: /run/secrets/cloudflare_dns_api_token
              # https://go-acme.github.io/lego/dns/cloudflare/
        labels:
            - traefik.enable=true
            - traefik.http.routers.dashboard.service=api@internal  # TODO: not working
            - traefik.http.routers.dashboard.rule=Host(`traefik.golem.linux.it`)
            - traefik.http.routers.dashboard.entrypoints=websecure
            - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
        healthcheck:
            test: [CMD, traefik, healthcheck, --ping]
            interval: 10s
            timeout: 5s
            retries: 3
            start_period: 15s

    demo-service:
        container_name: whoami
        image: traefik/whoami
        restart: unless-stopped
        networks:
            - proxy
        labels:
            - traefik.enable=true
            - traefik.http.routers.whoami.rule=Host(`whoami.golem.linux.it`)
            - traefik.http.routers.whoami.entrypoints=websecure
            - traefik.http.routers.whoami.tls.certresolver=letsencrypt
            - traefik.http.services.whoami.loadbalancer.server.port=80