services:
  traefik:
    image: traefik:v3.5
    restart: unless-stopped
    command:
      - "--accesslog=true"
      - "--accesslog.filepath=/logs/traefik-access.log"
      - "--accesslog.format=json"
      - "--accesslog.filters.statusCodes=200-299, 400-599"
      - "--accesslog.bufferingSize=0"
      - "--accesslog.fields.headers.defaultMode=drop"
      - "--accesslog.fields.headers.names.User-Agent=keep"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/dynamic"
      - "--providers.file.watch=true"
      - "--serversTransport.insecureSkipVerify=true"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.cf.acme.dnschallenge=true"
      - "--certificatesresolvers.cf.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cf.acme.email=tls@skrd.fun"
      - "--certificatesresolvers.cf.acme.storage=/letsencrypt/acme.json"
      - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      - "--experimental.plugins.bouncer.version=v1.4.6"
    ports:
      - "80:80"
      - "443:443"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard-web.rule=Host(`traefik.skrd.fun`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
      - "traefik.http.routers.dashboard-web.entrypoints=web"
      - "traefik.http.routers.dashboard-web.middlewares=local-only@file, redirect-to-https@file"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.skrd.fun`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=cf"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=local-only@file, crowdsec@file"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "${DYNAMIC_DIR}:/dynamic"
      - "${DATA_ROOT}/traefik/letsencrypt:/letsencrypt"
      - "${DATA_ROOT}/traefik/logs:/logs"
    environment:
      CF_API_EMAIL: "${CF_API_EMAIL}"
      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"

networks:
  default:
    name: traefik