services:
  frontend:
    labels:
      - traefik.enable=true
      - traefik.http.services.frontend.loadbalancer.server.port=8080
      - traefik.http.routers.frontend-http.entrypoints=websecure
      - traefik.http.routers.frontend-http.tls.certresolver=main-resolver
      - traefik.http.routers.frontend-http.rule=Host(${SITES:?List of sites not set})
      - traefik.http.routers.frontend-http.middlewares=security-headers
      - traefik.http.middlewares.security-headers.headers.sslRedirect=true
      - traefik.http.middlewares.security-headers.headers.stsSeconds=31536000

  proxy:
    image: traefik:v3.3.4
    restart: unless-stopped
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.options=modern
      - --entrypoints.websecure.http.tls.minVersion=VersionTLS13
      - --accesslog=true
      - --accesslog.fields.headers.names.Content-Type=keep
      - --certificatesresolvers.main-resolver.acme.httpchallenge=true
      - --certificatesresolvers.main-resolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.main-resolver.acme.email=${LETSENCRYPT_EMAIL:?No Let's Encrypt email set}
      - --certificatesresolvers.main-resolver.acme.storage=/letsencrypt/acme.json
    ports:
      - ${HTTP_PUBLISH_PORT:-80}:80
      - ${HTTPS_PUBLISH_PORT:-443}:443
    volumes:
      - cert-data:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  cert-data: