services:
  traefik:
    image: traefik:${TRAEFIK_VERSION}
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    environment:
      - TZ=${TZ}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_HOST}`)"
      - "traefik.http.routers.traefik.entrypoints=${TRAEFIK_ENTRYPOINT}"
      - "traefik.http.routers.traefik.middlewares=auth"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=${TRAEFIK_RESOLVER}"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    networks:
      - frontend
    ports:
      - "${HTTP_PORT}:80"
      - "${HTTPS_PORT}:443"
      - "${TRAEFIK_DASHBOARD_BIND}:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${TRAEFIK_CONFIG}:/etc/traefik/traefik.yml:ro
      - ${TRAEFIK_MIDDLEWARES}:/middlewares.yml:ro
      - ${ACME_FILE}:/acme.json
      - ${LETSENCRYPT_DIR}:/letsencrypt

networks:
  frontend:
    external: true