version: '3.8'

volumes:
  traefik:

networks:
  traefik:
    name: traefik

services:
  traefik:
    image: "${IMAGE:-traefik}:${VERSION:-latest}"
    command:
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=${EXPOSED_BY_DEFAULT:-false}
      - --api.dashboard=${DASHBOARD:-true}
      - --api.debug=${DEBUG:-false}
      - --log.level=${LOG_LEVEL:-ERROR}
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
    ports:
      - "${WEB_PORT:-0.0.0.0:80:80}"
      - "${WEBSECURE_PORT:-0.0.0.0:443:443}"
    networks:
      - traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "traefik:/etc/traefik"
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.http.routers.${ROUTER:-traefik}.rule=Host(`${DOMAIN:-traefik.local.krislamo.org}`)"
        - "traefik.http.routers.${ROUTER:-traefik}.service=api@internal"
        - "traefik.http.routers.${ROUTER:-traefik}.entrypoints=${ENTRYPOINT:-websecure}"
        - "traefik.http.routers.${ROUTER:-traefik}.tls=${ENABLE_TLS:-true}"
        - "traefik.http.services.${SERVICE:-traefik}.loadbalancer.server.port=80"
        - "traefik.http.middlewares.internalonly.ipwhitelist.sourcerange=127.0.0.1/32"
        - "traefik.http.routers.${ROUTER:-traefik}.middlewares=internalonly"
        - "traefik.docker.network=${NETWORK:-traefik}"
        - "traefik.enable=${ENABLE:-true}"