services:
  traefik:
    image: traefik:v3.6

    networks:
    # Connect to the 'proxy' overlay network for inter-container communication across nodes
      - proxy

    ports:
        # Expose Traefik's entry points to the Swarm
        # Swarm requires the long syntax for ports.
      - target: 80 # Container port (Traefik web entry point)
        published: 80 # Host port exposed on the nodes
        protocol: tcp
        # 'host' mode binds directly to the node's IP where the task runs.
        # 'ingress' mode uses Swarm's Routing Mesh (load balances across nodes).
        # Choose based on your load balancing strategy. 'host' is often simpler if using an external LB.
        mode: ingress
      - target: 443 # Container port ( Traefik websecure entry point)
        published: 443 # Host port
        protocol: tcp
        mode: ingress

    environment:
      - CF_DNS_API_TOKEN=${TRAEFIK_CF_DNS_API_TOKEN}

    volumes:
      # Mount the Docker socket for the Swarm provider
      # This MUST be run from a manager node to access the Swarm API via the socket.
      - /var/run/docker.sock:/var/run/docker.sock:ro   # Swarm API socket
      - /mnt/docker-storage/traefik/acme:/acme
    # Traefik Static configuration via command-line arguments
    command:
      # HTTP EntryPoint
      - "--entrypoints.web.address=:80"

      # Configure HTTP to HTTPS Redirection
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

      # HTTPS EntryPoint
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certResolver=letsencrypt"

      # Certificates Resolver
      - "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}"
      - "--certificatesResolvers.letsencrypt.acme.storage=/acme/acme.json"
      - "--certificatesResolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare"

      - "--serversTransport.insecureSkipVerify=true"

      # Providers

      # Enable the Docker Swarm provider (instead of Docker provider)
      - "--providers.swarm.endpoint=unix:///var/run/docker.sock"
      # Watch for Swarm service changes (requires socket access)
      - "--providers.swarm.watch=true"
      # Recommended: Don't expose services by default; require explicit labels
      - "--providers.swarm.exposedbydefault=false"
      # Specify the default network for Traefik to connect to services
      - "--providers.swarm.network=traefik_proxy"

      # API & Dashboard
      - "--api.dashboard=true" # Enable the dashboard
      - "--api.insecure=false" # Explicitly disable insecure API mod

      # Observability
      - "--log.level=INFO" # Set the Log Level e.g INFO, DEBUG
      - "--accesslog=true" # Enable Access Logs
      - "--metrics.prometheus=true"  # Enable Prometheus

    deploy:
      mode: replicated
      replicas: 1
      placement:

      # Placement constraints restrict where Traefik tasks can run.
      # Running on manager nodes is common for accessing the Swarm API via the socket.
        constraints:
          - node.role == manager

      # Traefik Dynamic configuration via labels
      # In Swarm, labels on the service definition configure Traefik routing for that service.
      labels:
        - "traefik.enable=true"

        # Dashboard router
        - "traefik.http.routers.traefik.rule=Host(`traefik.apps.dua.casa`)"
        - "traefik.http.routers.traefik.entrypoints=websecure"
        - "traefik.http.routers.traefik.service=api@internal"
        - "traefik.http.routers.traefik.tls=true"
        - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"

        # Basic‑auth middleware
        - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH}"
        - "traefik.http.routers.traefik.middlewares=traefik-auth@swarm"

        # Service hint
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"

        # CERT router
        - "traefik.http.routers.cert.rule=HostRegexp(`{subdomain:.+}.apps.dua.casa`)"
        - "traefik.http.routers.cert.entrypoints=websecure"
        - "traefik.http.routers.cert.service=noop@internal"
        - "traefik.http.routers.cert.tls=true"
        - "traefik.http.routers.cert.tls.certresolver=letsencrypt"
        - "traefik.http.routers.cert.priority=1"

        # Homepage Widget
        - homepage.group=Network
        - homepage.name=Traefik
        - homepage.icon=sh-traefik-light
        - homepage.href=https://traefik.dua.casa
        - homepage.description=A modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
        - homepage.widget.type=traefik
        - homepage.widget.url=https://traefik.apps.dua.casa
        - homepage.widget.username=admin
        - homepage.widget.password=bykWvHAaQTDy0ts4ZpUAXoT9ztCNmsKg

  # Deploy the Whoami application
  whoami:
    image: traefik/whoami
    networks:
      - proxy
    deploy:
      labels:
        # Enable Service discovery for Traefik
        - "traefik.enable=true"
        # Define the WHoami router rule
        - "traefik.http.routers.whoami.rule=Host(`whoami.apps.dua.casa`)"
        # Expose Whoami on the HTTPS entrypoint
        - "traefik.http.routers.whoami.entrypoints=websecure"
        # Enable TLS
        - "traefik.http.routers.whoami.tls=true"
        - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
        # Expose the whoami port number to Traefik
        - traefik.http.services.whoami.loadbalancer.server.port=80

# Define the overlay network for Swarm
networks:
  proxy:
    driver: overlay
    attachable: true