version: "3.3"

networks:
  proxy:
    external: true
    
services:
  traefik:
    image: "traefik:v2.5"
    container_name: traefik
    restart: always
    network_mode: proxy
    command:
      # - "--accesslog=true"
      - "--api.dashboard=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      # - "--log.level=INFO"
      - "--ping"
      - "--ping.entryPoint=web"
      - "--providers.docker=true"
      - "--global.sendAnonymousUsage"
      - "--providers.docker.network=proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--certificatesresolvers.sslresolver.acme.email=${EMAIL}"
      - "--certificatesresolvers.sslresolver.acme.storage=/letsencrypt/acme.json"
      # ? Prod http challenge
      - "--certificatesresolvers.sslresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.sslresolver.acme.httpchallenge.entrypoint=http"
      #? Cloudflare DNS Challenge
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge=true"
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge.provider=cloudflare"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.delayBeforeCheck=0"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      #? Wildcard domain certs
      # - "--entrypoints.websecure.http.tls.certResolver=sslresolver"
      # - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[1].main=${DOMAIN1}"
      # - "--entrypoints.websecure.http.tls.domains[1].sans=*.${DOMAIN1}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/opt/traefik/letsencrypt:/letsencrypt"
    ports:
      - "80:80"
      - "443:443"
    environment:
      - "CLOUDFLARE_EMAIL=${API_EMAIL}"
      - "CLOUDFLARE_DNS_API_TOKEN=${API_TOKEN}"
    labels:
      #? Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`dash.${DOMAIN0}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      # echo $(htpasswd -nb admin 'Password!') | sed -e s/\\$/\\$\\$/g
      - "traefik.http.middlewares.auth.basicauth.users=admin:INSERT_PASSWORD_HERE"
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-For=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"