services:
  traefik:
    image: traefik:v3.5
    # Remove all command arguments - using static config file instead
    ports:
    - target: 80
      published: 80
      mode: host
    - target: 443
      published: 443
      mode: host
    - target: 8443
      published: 8443
      mode: host
    - target: 8080
      published: 8082
      mode: host
    environment:
    - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - /home/doc/projects/swarm-data/appdata/traefik/certificates:/certificates
    - /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro
    - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:ro
    secrets:
    - cloudflare_api_token
    networks:
    - homelab
    healthcheck:
      test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/ping" ]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
        - node.hostname == p0
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
        reservations:
          memory: 256M
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`proxy.frostlabs.me`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

networks:
  homelab:
    external: true

secrets:
  cloudflare_api_token:
    external: true