---
# https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/
# https://stackoverflow.com/questions/58584625/how-do-i-reference-a-self-signed-ssl-certificates-for-traefik-v2-in-a-docker-com

version: '3.9'

networks:
    proxy:
        external: true

services:
    reverse-proxy:
        container_name: traefik
        image: traefik:2.8
        restart: unless-stopped
        ports:
            - 80:80
            - 443:443
        networks:
            # Use the public network created to be shared between Traefik and
            # any other service that needs to be publicly available with HTTPS
            - proxy
        command:
            - --providers.docker # Enable Docker in Traefik, so that it reads labels from Docker services
            - --providers.docker.exposedbydefault=false # Do not expose all Docker services, only the ones explicitly exposed
            - --providers.docker.network=proxy # Adds default network
            #- --log.level=INFO
            - --api.dashboard=true
            # - --accesslog # Enable Access log
            # - --ping=true # Enable /ping healthcheck route
              # Set up LetsEncrypt
            - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
            - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
            - --certificatesresolvers.letsencrypt.acme.email=${EMAIL_ADDRESS}
            - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
              # Set up an insecure listener that redirects all traffic to TLS
            - --entrypoints.web.address=:80
            - --entrypoints.web.http.redirections.entrypoint.to=websecure # Redirect all http to https
            - --entrypoints.web.http.redirections.entrypoint.scheme=https
              # Set up the TLS configuration for our websecure listener
            - --entrypoints.websecure.address=:443
            - --entrypoints.websecure.http.tls=true
            - --entrypoints.websecure.http.tls.certResolver=letsencrypt
            - --entrypoints.websecure.http.tls.domains[0].main=golem.linux.it
            - --entrypoints.websecure.http.tls.domains[0].sans=*.golem.linux.it
              # SSH
            # - --entrypoints.ssh.address=:22 # host system must use another port!
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro # Add Docker as a mounted volume, so that Traefik can read the labels of other services
            - /srv/volumes/letsencrypt:/letsencrypt
        environment:
            - CLOUDFLARE_EMAIL=${CLOUDFLARE_ACCOUNT_EMAIL_ADDRESS}
            - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_TOKEN_GOES_HERE}
        labels:
            - traefik.enable=true
            - traefik.http.routers.dashboard.service=api@internal
            - traefik.http.routers.dashboard.rule=Host(`traefik.889217.xyz`)
            - traefik.http.routers.dashboard.entrypoints=websecure
            - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
        healthcheck:
            test: [CMD, traefik, healthcheck, --ping]
            interval: 10s
            timeout: 5s
            retries: 3
            start_period: 15s

    demo-service:
        container_name: whoami
        image: traefik/whoami
        restart: unless-stopped
        networks:
            - proxy
        labels:
            - traefik.enable=true
            - traefik.http.routers.whoami.rule=Host(`whoami.golem.linux.it`)
            - traefik.http.routers.whoami.entrypoints=websecure
            - traefik.http.routers.whoami.tls.certresolver=letsencrypt
            - traefik.http.services.whoami.loadbalancer.server.port=80