version: '3.6'
services:
  traefik:
    container_name: 'traefik'
    image: 'traefik:latest'
    restart: 'always'
    security_opt:
      - no-new-privileges:true
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    command:
      - '--log.level=INFO'
      - '--entrypoints.web.address=:80'
      - '--entrypoints.websecure.address=:443'
      - '--providers.docker'
      - '--api'
      - '--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL}'
      - '--certificatesresolvers.cloudflare.acme.dnschallenge=true'
      - '--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare'
      - '--certificatesResolvers.cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53'
      - '--certificatesresolvers.cloudflare.acme.storage=/acme.json'
      #- '--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory'
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - './acme.json:/acme.json'
    labels:
      # global redirect to https
      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=web'
      - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'

      # global wildcard certificates
      - 'traefik.http.routers.wildcard-certs.tls.certresolver=cloudflare'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].main=example.eu'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.example.eu'

      # dashboard
      - 'traefik.http.routers.traefik.rule=Host(`traefik2.example.eu`)'
      - 'traefik.http.routers.traefik.tls=true'
      - 'traefik.http.routers.traefik.entrypoints=websecure'
      - 'traefik.http.routers.traefik.service=api@internal'
      - 'traefik.http.routers.traefik.middlewares=authtraefik'
      - 'traefik.http.middlewares.authtraefik.basicauth.users=changeme:htpasswd'
