version: "3.9"

networks:
  public:
    name: public
    external: false

services:
  traefik:
    image: traefik
    container_name: traefik
    restart: always
    environment:
      # - CF_API_EMAIL=${CF_API_EMAIL} # used with CF_API_KEY
      # - CF_API_KEY=${CF_API_KEY} # Global API Key, unsafe
      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN} # Zone / Zone / Read, scope across all zones
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} # Zone / DNS / Edit, scope to specific domain(s)
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
      - "./dynamic:/etc/traefik/dynamic"
      - "./certs:/certs"
    ports:
      - "80:80"
      - "443:443"
      # - "8080:8080"
    networks:
      public:
        ipv4_address: 172.22.0.254
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=public"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic"

      # Let's Encrypt
      - "--certificatesresolvers.le.acme.email=${CF_API_EMAIL}"
      - "--certificatesresolvers.le.acme.storage=/acme.json"
      # - "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--serversTransport.insecureSkipVerify=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_DOMAIN}`)"
      - "traefik.http.routers.dashboard.service=dashboard-service"
      - "traefik.http.services.dashboard-service.loadbalancer.server.port=8080"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=le"
      - "traefik.http.middlewares.dashboard-basicauth.basicauth.users=${BASIC_AUTH_CREDENTIALS}"
      - "traefik.http.routers.dashboard.middlewares=dashboard-basicauth,error-pages-middleware"

  error-pages:
    image: tarampampam/error-pages
    container_name: error-pages
    restart: always
    environment:
      TEMPLATE_NAME: lost-in-space
      SHOW_DETAILS: true
    labels:
      traefik.enable: true
      # use as "fallback" for any NON-registered services (with priority below normal)
      traefik.http.routers.error-pages.rule: HostRegexp(`{host:.+}`) || Host(`error.ykz.app`)
      traefik.http.routers.error-pages.priority: 10
      # "errors" middleware settings
      traefik.http.routers.error-pages.middlewares: error-pages-middleware
      traefik.http.middlewares.error-pages-middleware.errors.status: 400-599
      traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service
      traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html
      # define service properties
      traefik.http.services.error-pages-service.loadbalancer.server.port: 8080
      traefik.http.routers.error-pages.service: error-pages-service
      traefik.http.routers.error-pages.tls: true
      traefik.http.routers.error-pages.tls.certresolver: le
      traefik.http.routers.traefik.middlewares: error-pages-middleware
    networks:
      - public
    depends_on:
      - traefik