services:

  traefik:
    image: traefik:${TRAEFIK_VERSION}
    restart: unless-stopped
    environment:
      - NETCUP_ENDPOINT=${NETCUP_ENDPOINT}
      - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
      - NETCUP_API_KEY=${NETCUP_API_KEY}
      - NETCUP_API_PASSWORD=${NETCUP_API_PASSWORD}
    command:
      - "--api.insecure=false"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=web"
      - "--providers.docker.endpoint=tcp://docker-socket-proxy:2375"
      #- "--log.level=DEBUG"
      - "--log.level=INFO"
      #- "--accesslog=true"
      - "--ping=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.filename=/etc/traefik/tls.toml"
      - "--certificatesresolvers.netcup.acme.dnschallenge=true"
      - "--certificatesresolvers.netcup.acme.dnsChallenge.provider=netcup"
      - "--certificatesresolvers.netcup.acme.dnsChallenge.resolvers=46.38.225.230:53,46.38.252.230:53"
      - "--certificatesresolvers.netcup.acme.dnschallenge.delayBeforeCheck=900"
      - "--certificatesresolvers.netcup.acme.email=${LETSENCRYPT_MAIL}"
      - "--certificatesresolvers.netcup.acme.storage=/letsencrypt/acme.json"
      - "--metrics.prometheus=true"
      - "--metrics.prometheus.addEntryPointsLabels=true"
      - "--metrics.prometheus.addRoutersLabels=true"
      - "--metrics.prometheus.addServicesLabels=true"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - web
      - dockersocket
    volumes:
      - ${VOLUMES_PATH}/proxy/letsencrypt:/letsencrypt
      - $PWD/tls.toml:/etc/traefik/tls.toml
    healthcheck:
      test: traefik healthcheck --ping
      interval: 3s
      timeout: 1s
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=netcup"
      - "traefik.http.routers.dashboard.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.dashboard.tls.domains[0].sans=*.${DOMAIN}"
      - "traefik.http.routers.dashboard.tls.options=intermediate@file"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${HTPASSWD}"
      - "docker.group=proxy"

  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      # grant privileges as environment variables: https://github.com/Tecnativa/docker-socket-proxy#grant-or-revoke-access-to-certain-api-sections
      - LOG_LEVEL=warning
      - CONTAINERS=1
      - INFO=1
      - IMAGES=1 # for diun
    networks:
      - dockersocket
    healthcheck:
      test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:2375/version"]
      interval: 10s
      timeout: 3s
    privileged: true


#  whoami:
#    image: traefik/whoami
#    networks:
#      - web
#    labels:
#      - "traefik.enable=true"
#      - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
#      - "traefik.http.routers.whoami.entrypoints=websecure"
#      - "traefik.http.routers.whoami.tls.certresolver=netcup"
#      - "docker.group=proxy"
#    restart: unless-stopped


networks:
  web:
    external: true
  dockersocket:
    external: true