---
services:
    tailscale-traefik:
        image: ghcr.io/tailscale/tailscale:v1.84.2
        container_name: tailscale-traefik
        cap_add:
            - net_admin
            - sys_module
        environment:
            - TS_STATE_DIR=/var/lib/tailscale
            - TS_ENABLE_METRICS=true
            - TS_HOSTNAME=traefik-ps10rp
        #    - TS_SERVE_CONFIG=/config/serve.json
        network_mode: service:traefik
        restart: always
        volumes:
            - tailscale:/var/lib/tailscale
            - ${PWD}/serve.json:/config/serve.json
        devices:
            - /dev/net/tun:/dev/net/tun

    traefik:
        image: ghcr.io/traefik/traefik:v3.4.1
        container_name: traefik
        command:
            - "--global.checkNewVersion=false"
            - "--global.sendAnonymousUsage=false"
            - "--api=true"
            - "--api.insecure=false"
            - "--api.dashboard=true"
            - "--log.level=INFO"
            - "--providers.docker=true"
            - "--providers.docker.exposedbydefault=false"
            - "--entryPoints.web.address=:80"
            - "--entrypoints.web.http.redirections.entryPoint.to=web-secure"
            - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
            - "--entryPoints.web-secure.address=:443"
            - "--entryPoints.web-secure.http.tls.options=default"
            - "--entryPoints.web-secure.http.tls.certResolver=cloudflare"
            - "--entryPoints.web-secure.http.tls.domains[0].main=*.lebens-home.net"
            - "--entryPoints.web-secure.http.tls.domains[0].sans[0]=lebens-home.net"
            - "--entryPoints.traefik.address=:8080"
            - "--entryPoints.metrics.address=:9100"
            - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
            - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
            - "--certificatesresolvers.cloudflare.acme.dnschallenge.delaybeforecheck=10"
            - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53"
            - "--certificatesresolvers.cloudflare.acme.email=alexanderlebens@gmail.com"
            - "--certificatesresolvers.cloudflare.acme.storage=acme.json"
            - "--metrics.prometheus=true"
            - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
            - "--metrics.prometheus.addEntryPointsLabels=true"
            - "--metrics.prometheus.addRoutersLabels=true"
            - "--metrics.prometheus.addServicesLabels=true"
            - "--metrics.prometheus.entryPoint=metrics"
            - "--metrics.prometheus.manualRouting=true"
        env_file:
            - .env
        environment:
            - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        labels:
            traefik.enable: true
            traefik.docker.network: internal
            traefik.http.routers.dashboard.entrypoints: web-secure
            traefik.http.routers.dashboard.rule: (Host(`traefik-ps10rp.lebens-home.net`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard/`)))
            traefik.http.routers.dashboard.service: api@internal
        networks:
            internal: null
        ports:
            - 0.0.0.0:80:80
            - 0.0.0.0:443:443
        privileged: true
        restart: always
        volumes:
            - letsencrypt:/letsencrypt
            - /var/run/docker.sock:/var/run/docker.sock:ro

networks:
    internal:
        name: internal
        driver: bridge
        ipam:
            config:
                - subnet: 172.24.0.0/16

volumes:
    tailscale:
    letsencrypt: