services:
  traefik:
    image: traefik:v2.11
    container_name: ${INFRASTRUCTURE_LABEL:-stack}-traefik
    restart: unless-stopped
    command: 
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=${TRAEFIK_NETWORK:-proxy}
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - --api.dashboard=true
      - --log.level=${TRAEFIK_LOG_LEVEL:-INFO}
      - --accesslog=true
    ports:
      - ${TRAEFIK_HTTP_PORT:-80}:80
      - ${TRAEFIK_HTTPS_PORT:-443}:443
    environment:
      - TZ=${TZ:-UTC}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./data:/letsencrypt
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik.service=api@internal
      - traefik.docker.network=${TRAEFIK_NETWORK:-proxy}
      # Optional: protect dashboard with basic auth if TRAEFIK_BASIC_AUTH_USERS is set
      - traefik.http.routers.traefik.middlewares=dashboard-basicauth@file

networks:
  proxy:
    external: true