# Traefik Reverse Proxy Stack
# Main reverse proxy with Let's Encrypt SSL automation
# Place in /opt/stacks/traefik/docker-compose.yml

services:
  traefik:
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik-network
    ports:
      - "80:80"      # HTTP
      - "443:443"    # HTTPS
      - "8080:8080"  # Dashboard (protect with Authelia)
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/stacks/traefik/traefik.yml:/traefik.yml:ro
      - /opt/stacks/traefik/dynamic:/dynamic:ro
      - /opt/stacks/traefik/acme.json:/acme.json
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}  # If using Cloudflare DNS challenge
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}        # If using DuckDNS
    labels:
      - "traefik.enable=true"
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.routers.traefik.service=api@internal"
      # Global HTTP to HTTPS redirect
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

networks:
  traefik-network:
    external: true