# vi: ft=yaml
version: "3.7"

networks:
  traefik:
    external: true

configs:
  services:
    external: true
    name: "{{ services.config_name }}"

volumes:
  acme:
    driver_opts:
      type: "nfs"
      o: "addr=lewis.dmz,nolock,soft,rw"
      device: ":/mnt/data/nfs/traefik/acme"

services:
  traefik:
    image: traefik:3.0.0-beta2
    networks:
      - traefik
    ports:
      - mode: host
        protocol: tcp
        published: 443
        target: 443
      - mode: host
        protocol: tcp
        published: 80
        target: 80
      - mode: host
        protocol: tcp
        published: 444
        target: 444
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.enable=true
        - traefik.http.routers.dashboard.entrypoints=localsecure
        - traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`)
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.services.dashboard.loadbalancer.server.port=8080
        - traefik.http.routers.dashboard.tls=true
        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
        - traefik.docker.network=traefik

        - traefik.http.routers.esrom.entrypoints=websecure
        - traefik.http.routers.esrom.service=esrom@file
        - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
        - traefik.http.routers.esrom.tls=true
        - traefik.http.routers.esrom.tls.certresolver=letsencrypt
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
      - type: volume
        source: acme
        target: /acme
        volume:
          nocopy: true
    configs:
      - source: services
        target: /etc/traefik/services.yml
    command:
      - --providers.docker
      - --providers.docker.swarmmode
      - --providers.docker.watch
      - --providers.docker.exposedbydefault=false

      - --providers.file.filename=/etc/traefik/services.yml

      - --api
      - --api.insecure=false
      - --api.dashboard=true

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint=true
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

      - --entrypoints.websecure.address=:443

      - --entrypoints.localsecure.address=:444

      - --certificatesresolvers.letsencrypt.acme=true
      - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web

      - --serversTransport.insecureSkipVerify=true

      - --accesslog=true
      - --accesslog.fields.defaultmode=keep
      - --accesslog.fields.names.ClientUsername=drop
      - --accesslog.fields.headers.defaultmode=keep
      - --accesslog.fields.headers.names.User-Agent=keep
      - --accesslog.fields.headers.names.Authorization=drop
      - --accesslog.fields.headers.names.Content-Type=keep