version: '3.8'

networks:
  traefik-public:
    external: true

volumes:
  traefik_letsencrypt:
    external: true

configs:
  traefik_dynamic:
    external: true

services:
  traefik:
    image: traefik:v3.6.4
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_letsencrypt:/letsencrypt
    networks:
      - traefik-public
    configs:
      - source: traefik_dynamic
        target: /etc/traefik/dynamic.yml
    environment:
      # Cloudflare API Token (with DNS edit permissions for your domain)
      - CF_DNS_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma
      - CF_ZONE_API_TOKEN=vxrT1xXkioj3Iw3D-emU0I_FcaMb-PeYs_TLiOma

    # Optional: your Pi-hole DNS can stay
    dns:
      - 192.168.1.196
      - 192.168.1.245
      - 1.1.1.1

    command:
      # Entrypoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"

      # SWARM Provider
      - "--providers.swarm=true"
      - "--providers.swarm.network=traefik-public"
      - "--providers.swarm.exposedbydefault=false"

      # File Provider (Dynamic Config)
      - "--providers.file.filename=/etc/traefik/dynamic.yml"
      - "--providers.file.watch=true"

      # Dashboard
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # HTTP -> HTTPS
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # Let's Encrypt / ACME Cloudflare DNS Challenge
      - "--certificatesresolvers.cfresolver.acme.email=sterlenjohnson6@gmail.com"
      - "--certificatesresolvers.cfresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.cfresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.cfresolver.acme.dnschallenge.provider=cloudflare"

      # Optional: increase delay for propagation
      - "--certificatesresolvers.cfresolver.acme.dnschallenge.propagation.delayBeforeChecks=60"
      # Logging
      - "--log.level=INFO"

    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        # Dashboard Router
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.rule=Host(`traefik.sterl.xyz`)"
        - "traefik.http.routers.traefik.entrypoints=websecure"
        - "traefik.http.routers.traefik.tls.certresolver=cfresolver"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
        - "traefik.http.routers.traefik.service=api@internal"

  whoami:
    image: traefik/whoami
    networks:
      - traefik-public
    deploy:
      labels:
        # Whoami Router
        - "traefik.enable=true"
        - "traefik.http.routers.whoami.rule=Host(`whoami.sterl.xyz`)"
        - "traefik.http.routers.whoami.entrypoints=websecure"
        - "traefik.http.routers.whoami.tls.certresolver=cfresolver"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"