docker-compose.yml

services:

  traefik:
    # Use the latest Traefik image
    image: traefik:v3.0
    ports:
      # Host mode is essential to work with IPv6
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 80
        mode: host
        protocol: tcp
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 443
        mode: host
        protocol: tcp

      # portainer
      - '9001:9001'
      # elasticsearch / kibana
      - '9002:9002'
      # traefik ui
      - '9004:9004'

      # phpmyadmin
      - '9005:9005'

      # mailhog
      - '8025:8025'

    deploy:
      mode: global
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - "traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}"
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
        - traefik.http.routers.traefik-public-http.entrypoints=traefik-ui
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
        - traefik.http.routers.traefik-public-https.entrypoints=traefik-ui
        - traefik.http.routers.traefik-public-https.tls=true
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080

        # when running in Docker Swarm Mode, use swarm loadbalancer!!
        # - traefik.docker.lbswarm=true

        # Redirect non-www to www middleware
        - "traefik.http.middlewares.non-www-to-www.redirectregex.regex=^https?://(?:www\\.)?(.+)"
        - "traefik.http.middlewares.non-www-to-www.redirectregex.permanent=true"
        - "traefik.http.middlewares.non-www-to-www.redirectregex.replacement=https://www.$${1}"

      resources:
        limits:
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M

      update_config:
        order: stop-first

    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store the certificates
      - traefik-public-certificates:/certificates
      # Mount log folder
      - ${TRAEFIK_LOG_DIR}:/var/log/traefik
      # Mount dynamic config
      - ./config.yml:/etc/traefik/config.yml:ro

    command:


      # Enable Docker Swarm  in Traefik, so that it reads labels from Docker services
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.swarm.network=traefik-public
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.swarm.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.swarm.exposedbydefault=false
      # Create an entrypoint "http" listening on address 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on address 443
      - --entrypoints.https.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      # Enable the access log, with HTTP requests
      - --accesslog.bufferingsize=100
      - --accesslog.filepath=/var/log/traefik/traefik-access.log
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api

      # SMDM entrypoints additional services
      - --entrypoints.portainer.address=:9001
      - --entrypoints.kibana.address=:9002
      - --entrypoints.rabbitmq.address=:9003
      - --entrypoints.traefik-ui.address=:9004
      - --entrypoints.phpmyadmin.address=:9005
      - --entrypoints.mailhog.address=:8025

      # forward x-forward-host to container
      - --entrypoints.http.proxyProtocol.trustedIPs=${IP_RANGE}
      - --entrypoints.http.forwardedHeaders.trustedIPs=${IP_RANGE}
      - --entrypoints.https.proxyProtocol.trustedIPs=${IP_RANGE}
      - --entrypoints.https.forwardedHeaders.trustedIPs=${IP_RANGE}


    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public

volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:

networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true