x-logging: &default-logging
  options:
    max-size: 32m
    max-file: 4

services:
  traefik:
    container_name: traefik
    image: traefik:3.5.1
    restart: unless-stopped
    env_file: .env
    logging: *default-logging
    depends_on:
      - authelia
    command:
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.watch=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/config
      - --providers.file.watch=true

      - --accesslog
      - --accesslog.format=json

      - --entryPoints.http.address=:80

      - --entryPoints.http.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/14,192.168.0.0/16,fc00::/7
      - --entryPoints.http.proxyProtocol.trustedIPs=192.168.0.0/16
      - --entryPoints.http.forwardedHeaders.insecure=false
      - --entryPoints.http.proxyProtocol.insecure=false

      - --entryPoints.https=true
      - --entryPoints.https.address=:443
      - --entryPoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/14,192.168.0.0/16,fc00::/7
      - --entryPoints.https.proxyProtocol.trustedIPs=192.168.0.0/16
      - --entryPoints.https.forwardedHeaders.insecure=false
      - --entryPoints.https.proxyProtocol.insecure=false

      - --entryPoints.http.http.redirections.entrypoint.to=https
      - --entryPoints.http.http.redirections.entrypoint.scheme=https

      - --certificatesresolvers.letsencrypt
      - --certificatesresolvers.letsencrypt.acme.storage=acme.json
      - --certificatesresolvers.letsencrypt.acme.email=joemonk@hotmail.co.uk
      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=route53
      # Uncomment to use the staging env for testing volumes etc
      - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /mnt/cache/appdata/traefik/config:/config
      - /mnt/user/appdata/traefik/letsencrypt/acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - traefik.enable=true

      - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
      - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email

      - traefik.http.routers.traefik.entryPoints=https
      - traefik.http.routers.traefik.rule=Host(`traefik.home.joemonk.co.uk`)
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik.tls.domains[0].main=traefik.home.joemonk.co.uk
      - traefik.http.routers.traefik.service=traefik
      - traefik.http.routers.traefik.middlewares=authentik-traefik@docker

      - traefik.http.services.traefik.loadbalancer.server.port=8080