# vi: ft=yaml
version: "3.7"

networks:
  traefik:
    external: true

services:
  traefik:
    image: traefik:3.0
    networks:
      - traefik
    ports:
      - 443:443
      - 80:80
      - 8080:8080
    deploy:
      placement:
        constraints: [node.labels.traefik == true]
      labels:
        - traefik.enable=true
        - traefik.http.routers.dashboard.rule=Host(`maestro.dmz`)
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.services.dummy-svc.loadbalancer.server.port=8080
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
    command:
      - --providers.docker
      - --providers.docker.swarmmode
      - --providers.docker.watch
      - --api
      - --api.insecure=true
      - --api.dashboard=true
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint=true
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.websecure.address=:443
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.letsencrypt.acme=true
      - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web