version: "3.9"

networks:
  public:
    name: public
    external: false

services:
  traefik:
    image: traefik
    container_name: traefik
    restart: always
    environment:
      # - CF_API_EMAIL=${CF_API_EMAIL} # used with CF_API_KEY
      # - CF_API_KEY=${CF_API_KEY} # Global API Key, unsafe
      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN} # Zone / Zone / Read, scope across all zones
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} # Zone / DNS / Edit, scope to specific domain(s)
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    ports:
      - "80:80"
      - "443:443"
      # - "8080:8080"
    networks:
      - public
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.websecure.address=:443"

      # Let's Encrypt
      - "--certificatesresolvers.le.acme.email=${CF_API_EMAIL}"
      - "--certificatesresolvers.le.acme.storage=/acme.json"
      # - "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_DOMAIN}`)"
      - "traefik.http.routers.dashboard.service=dashboard-service"
      - "traefik.http.services.dashboard-service.loadbalancer.server.port=8080"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=le"