---
services:
  traefik:
    image: traefik:${TRAEFIK_VERSION:-latest}
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - "no-new-privileges:true"
    networks:
      traefik:
    ports:
      - ${TRAEFIK_HTTP_PORT:-80}:80
      - ${TRAEFIK_HTTPS_PORT:-443}:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik:/etc/traefik
      - ./data/certs:/etc/certs:ro
      - ./data/logs/traefik.log:/var/log/traefik.log
      - ./data/logs/access.log:/vat/log/crowdsec/traefik.log
    environment:
      - "CF_API_EMAIL=${CLOUDFLARE_MAIL:?error}"
      - "CF_DNS_API_TOKEN=${CLOUDFLARE_TOKEN:?error}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:?error}`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.middlewares.basic-auth.basicauth.users=${TRAEFIK_BASICAUTH_USER}:${TRAEFIK_BASICAUTH_PASSWORD}"
      - "traefik.http.routers.traefik-secure.middlewares=basic-auth"
      - "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:?error}`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_SAN_DOMAIN_0?error}"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_SAN_DOMAIN_0?error}"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  traefik:
    external: true