services:

  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: always
    ports:
      - 80:80/tcp # http
      - 443:443/tcp # https
      - 443:443/udp # https http3 quic
      - 127.0.0.1:8080:8080 # http api dashboard
    expose:
      - 80 # http
      - 443 # https
      - 8080 # http api dashboard
    volumes:
      #- /var/run/docker.sock:/var/run/docker.sock:ro # better use socket-proxy instead
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # put the provided traefik.yml and fileConfig.yml files at this location
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs
    environment:
      - TZ=Europe/Berlin
      - CF_DNS_API_TOKEN=MyCloudflareApiToken # change this if you use Cloudflare
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # Define the subdomain for the traefik dashboard.
      - traefik.http.routers.api.service=api@internal # Enable Traefik API.
      - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only
      #- traefik.http.middlewares.basic-auth-global.basicauth.users=admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0 # protect the traefik dashboard by basic auth (pw=password)
    extra_hosts:
      - host.docker.internal:172.17.0.1
    security_opt:
      - no-new-privileges:true      
    networks:
      - proxy
      - docker-proxynet

  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:1.26.2
    container_name: socket-proxy
    environment:
      - CONTAINERS=1
      - EVENTS=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - docker-proxynet
    restart: always
    read_only: true
    tmpfs:
      - /run

networks:
  proxy:
    external: true
  docker-proxynet:
    internal: true