version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:v2.2.1
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false      
      - --api=true
      - --entrypoints.web.address=:80      
      - --entrypoints.websecure.address=:443
      # - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
      # - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge=true
      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      # - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=gandiv5
      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=0
      # staging server
      #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    # environment:
    #   - GANDIV5_API_KEY=${GANDIV5_API_KEY}
    #labels: 
      # - traefik.enable=true
      # - traefik.http.routers.api.rule=Host(`${HOST_TRAEFIK}.${DOMAIN}`)
      # - traefik.http.routers.api.entrypoints=web
      # - traefik.http.routers.api.entrypoints=websecure
      # - traefik.http.routers.api.service=api@internal   
      # - traefik.http.routers.api.middlewares=auth
      # - traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
      # request widlcard certificate
      # - traefik.http.routers.api.tls.certresolver=letsencrypt
      # - traefik.http.routers.api.tls.domains[0].main=${DOMAIN}
      # - traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}
      # global redirect to https
      # - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      # - traefik.http.routers.http-catchall.entrypoints=web
      # - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      # middleware redirect
      # - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      # - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true     
    ports:
      - 80:80
      - 443:443
    expose:
      - 8080
    networks:
      - srv
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${ROOT_INSTALL}/hosting/traefik/traefik.yml:/etc/traefik/traefik.yml
      - ${ROOT_INSTALL}/hosting/traefik/tls.yml:/etc/traefik/tls.yml
      - certs:/etc/ssl/traefik

  reverse-proxy-https-helper:
    image: alpine
    command: sh -c "cd /etc/ssl/traefik
      && wget traefik.me/cert.pem -O cert.pem
      && wget traefik.me/privkey.pem -O privkey.pem"
    volumes:
      - certs:/etc/ssl/traefik

volumes:
  certs: