services:
  reverse-proxy:
    image: traefik:3.3
    restart: unless-stopped
    ports:
      - "30080:80"
      - "30443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./conf:/etc/traefik:ro
      - ./log:/var/log/traefik
      - ./acme.json:/acme.json
    environment:
      - CLOUDFLARE_EMAIL=xxxxxxxxxxxxxxxxxx
      - CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    labels:
      - "traefik.http.routers.traefik-api.rule=Host(`traefik.vaala.tech`)"
      - "traefik.http.routers.traefik-api.middlewares=traefik-forward-auth"
      - "traefik.http.routers.traefik-api.tls.domains[0].sans=*.vaala.tech"
      - "traefik.http.routers.traefik-api.tls=true"
      - "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
      - "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
    networks:
      - traefik

  traefik-forward-auth:
    image: ghcr.io/stefanschoof/traefik-forward-auth:latest
    env_file: .auth.env
    restart: unless-stopped
    volumes:
      - /etc/resolv.conf:/etc/resolv.conf:ro
    networks:
      - traefik
    labels:
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.vaala.tech`)"
      - "traefik.http.routers.traefik-forward-auth.tls.domains[0].sans=*.vaala.tech"
      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"

  whoami:
    image: traefik/whoami
    restart: unless-stopped
    expose:
      - 80
    networks:
      - traefik
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.vaala.tech`)"
      - "traefik.http.routers.whoami.tls.domains[0].sans=*.vaala.tech"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"

networks:
  traefik:
    external: true
    name: traefik