services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"  # Dashboard
    environment:
      - CF_DNS_API_TOKEN={{ cloudflare_api_token | default('') }}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/dynamic:/etc/traefik/dynamic:ro
      - ./data/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      # HTTP to HTTPS redirect
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.{{ domain | default('local') }}`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      # HTTPS with auth
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ domain | default('local') }}`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      # ForwardAuth middleware pointing to Pocket ID
      - "traefik.http.middlewares.pocketid-auth.forwardauth.address=http://auth.{{ domain }}/api/oidc/authorize?client_id=traefik&redirect_uri=https://traefik.{{ domain }}/callback"
      - "traefik.http.middlewares.pocketid-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.pocketid-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.routers.traefik-secure.middlewares=pocketid-auth"

networks:
  proxy:
    external: true