services:
  traefik:
    image: traefik:latest
    container_name: traefik
    command:
      - --global.sendanonymoususage=false
      - --log.level=INFO

      # Docker Provider
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=webproxy-net

      # optional: zusätzliche dynamische Datei für Middlewares/TLS-Optionen
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true

      # EntryPoints
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      # globaler HTTP -> HTTPS Redirect
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

      # ACME / Let's Encrypt
      - --certificatesresolvers.le.acme.email=Michael.Seidel@focus-on-it.de
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.le.acme.httpchallenge=true
      - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web

      # Dashboard nur intern / testweise
      - --api.dashboard=true
      - --api.insecure=false

    ports:
      - "80:80"
      - "443:443"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/docker/traefik/data/letsencrypt:/letsencrypt
      - /root/docker/traefik/data/dynamic:/etc/traefik/dynamic:ro

    networks:
      - webproxy-net
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.focus-on-it.net`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=le
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.middlewares=lan-only@file,dashboard-auth@file
    restart: unless-stopped

networks:
  webproxy-net:
    external: true