name: traefik
services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    env_file: .env
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_proxy
      - proxy_network
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - 10.8.0.1:9850:8080
    dns:
      - 1.1.1.1
      - 8.8.8.8
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./certs:/certs:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./config/dynamic_conf:/etc/traefik/dynamic_conf:ro
      - ./data/acme.json:/acme.json
    environment:
      - TRAEFIK_DASHBOARD_PASS=${TRAEFIK_DASHBOARD_PASS}
    labels:
      - traefik.enable=true
      - traefik.http.routers.dashboard.rule=Host(`traefik.gravitywell.xyz`)
      - traefik.http.routers.dashboard.service=api@internal
      - traefik.http.routers.dashboard.entrypoints=websecure
      - traefik.http.routers.dashboard.tls=true # replaces certresolver line
      - traefik.http.routers.dashboard.middlewares=internal-allowlist
      - traefik.http.middlewares.internal-allowlist.ipAllowList.sourcerange=127.0.0.1/32,10.8.0.0/24,192.168.0.0/16,172.16.0.0/12 # v3: ipAllowList not ipwhitelist
      - traefik.docker.network=traefik_proxy
    deploy:
      resources:
        limits:
          cpus: "0.50"
          memory: 512M
        reservations:
          cpus: "0.10"
          memory: 128M
networks:
  traefik_proxy:
    external: true
  proxy_network:
    external: true