networks:
  traefik-public:
    external: true

services:
  traefik:
    image: traefik:v2.11.0
    restart: unless-stopped
    command:
      # Docker config
      - "--providers.docker=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik-public"
      # Entrypoint
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.metrics.address=:9090"
      # HTTP -> HTTPS
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      # Security headers
      - "--entrypoints.websecure.http.middlewares=security-headers"
      # SSl with config files
      # Additional config with files
      - "--providers.file=true"
      - "--providers.file.directory=/etc/traefik"
      # Access Logs
      - "--accesslog=true"
      - "--accesslog.filepath=/accesslog/access.log"
      # Metrics
      - "--metrics.prometheus=true"
      - "--metrics.prometheus.entryPoint=metrics"
      - "--metrics.prometheus.addEntryPointsLabels=true"
      - "--metrics.prometheus.addrouterslabels=true"
      - "--metrics.prometheus.addServicesLabels=true"
      # Enable Dashboard
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
      # Add plugin for oidc
      - "--experimental.plugins.traefik-oidc-relying-party.modulename=github.com/alexdelprete/traefik-oidc-relying-party"
      - "--experimental.plugins.traefik-oidc-relying-party.version=v1.0.0-alpha.1"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certs:/etc/ssl/traefik
      - ./data/traefik/tls.yml:/etc/traefik/tls.yml
      - ./data/traefik/accesslog:/accesslog
      - ./data/traefik/passwd:/passwd
    networks:
      - traefik-public
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
      # Router for traefik
      ## TLS
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      ## Load balancer
      - "traefik.http.services.traefik.loadbalancer.server.port=888"
      ## Entrypoint and service
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      # Set midlewares for traefik
      - "traefik.http.routers.traefik.middlewares=zitadel, no-index-header"
      # No index headers
      - "traefik.http.middlewares.no-index-header.headers.customResponseHeaders.X-Robots-Tag=noindex"
      # Security headers
      - "traefik.http.middlewares.security-headers.headers.customFrameOptionsValue=SAMEORIGIN"
      - "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
      # Forward auth
      ## Basic
      - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/passwd"
      ## Zitadel
      - "traefik.http.middlewares.zitadel.plugin.traefik-oidc-relying-party.ProviderURL=https://zitadel.traefik.me/"
      - "traefik.http.middlewares.zitadel.plugin.traefik-oidc-relying-party.clientId=265810419401162755@testa"
      - "traefik.http.middlewares.zitadel.plugin.traefik-oidc-relying-party.clientSecret=pdUcUeewyIUA6iNyktvdHjxb6RIqriBXwvtSTMjcdpvnIJtCsyAGcRdZlbVuO1uv"