version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:v2.5.3
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false      
      - --api.dashboard=false
      - --entrypoints.http.address=:80      
      - --entrypoints.https.address=:443
      - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
      - --certificatesResolvers.letsencrypt.acme.dnsChallenge=true
      - --certificatesResolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=gandiv5
      - --certificatesResolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=0
      # staging server
      #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    environment:
      - GANDIV5_API_KEY=${GANDIV5_API_KEY}
    labels: 
      - traefik.enable=true
      - traefik.http.routers.api.entrypoints=http
      - traefik.http.routers.api.entrypoints=https
      - traefik.http.routers.api.service=api@internal
      # middleware auth
      - traefik.http.routers.api.middlewares=auth
      - traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}          
      # request widlcard certificate
      - traefik.http.routers.api.tls.certresolver=letsencrypt
      - traefik.http.routers.api.tls.domains[0].main=${DOMAIN}
      - traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}
      # global redirect to https
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=http
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      # middleware redirect
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true     
    ports:
      - 80:80
      - 443:443
    networks:
      - dmz
      - baikal-frontend
      - blog-frontend
      - deluge-frontend
      - dokuwiki-frontend
      - glances-frontend
      - netdata-frontend
      - photo-frontend
      - portainer-frontend
      - posteio-frontend
      - seafile-frontend
      - selfoss-frontend
      - shaarli-frontend
      - wallabag-frontend
      - wwww-frontend
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${ROOT_INSTALL}/selfhosting/traefik/acme.json:/acme.json