services:
  traefik:
    image: traefik
    container_name: traefik
    restart: unless-stopped
    ports:
      - 80:80 # HTTP
      - 443:443/tcp # HTTPS HTTP1/2
      - 443:443/udp # HTTPS HTTP3
      - 8080:8080 # TREFIK DASHBOARD
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro"
      - /etc/localtime:/etc/localtime:ro
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/config/:/etc/traefik/:ro
      - ./traefik/acme:/etc/traefik/acme
      - ./traefik/ssl:/etc/traefik/ssl:ro
    networks:
      - traefik_public
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)
      - traefik.http.services.traefik-traefik.loadbalancer.server.port=8080
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
      # Uncomment for LetsEncrypt certificate
      # - traefik.http.routers.traefik.tls.certresolver=tls-resolver 
      - "com.centurylinklabs.watchtower.enable=true"

  certdumper:
    image: ghcr.io/kereis/traefik-certs-dumper:latest
    restart: unless-stopped
    container_name: certdumper
    volumes:
      - ./traefik/acme:/traefik:ro
      - ./certdump:/output:rw
    network_mode: none
    environment:
      COMBINED_PEM: fullchain.pem

networks:
  traefik_public:
    external: true