networks:
  proxy:
    external: false
    name: proxy
    enable_ipv6: true

volumes:
  letsencrypt:
    name: letsencrypt
  portainer:
    name: portainer

services:
  traefik:
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
    command:
      - --global.sendAnonymousUsage=false
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --entryPoints.ssh.address=:222/tcp
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.email=christiansteinle@arcor.de
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.infomaniak.acme.dnschallenge=true
      - --certificatesresolvers.infomaniak.acme.email=christiansteinle@arcor.de
      - --certificatesresolvers.infomaniak.acme.dnschallenge.provider=infomaniak
      - --certificatesresolvers.infomaniak.acme.storage=/letsencrypt/infomaniak.json
      - --log=true
      - --accessLog=true
      - --metrics.prometheus=true
      - --metrics.prometheus.addRoutersLabels=true
    environment:
      - INFOMANIAK_ACCESS_TOKEN=5IraYq8HK9qur57Mj_TnHQ9pS9G79NPvjF8ID17n-EvfYO7TU6Fi0ZmDKSX6mIhTQJbyYegRd1hfmM-t
      - LEGO_EXPERIMENTAL_CNAME_SUPPORT=true
    ports:
      - "80:80"
      - "443:443"
      - "222:222"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.fam-steinle.de`)"
      - "traefik.http.routers.traefik.middlewares=traefik"
      - "traefik.http.middlewares.traefik.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.fam-steinle.de`)"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - "traefik.http.services.traefik-secure.loadbalancer.server.port=8080"
    networks:
      - proxy

  portainer:
    image: portainer/portainer-ce:alpine
    container_name: portainer
    command: -H unix:///var/run/docker.sock
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer:/data
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=web"
      - "traefik.http.routers.portainer.rule=Host(`portainer.fam-steinle.de`)"
      - "traefik.http.routers.portainer.middlewares=portainer"
      - "traefik.http.middlewares.portainer.redirectscheme.scheme=https"
      - "traefik.http.routers.portainer-secure.entrypoints=websecure"
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.fam-steinle.de`)"
      - "traefik.http.routers.portainer-secure.middlewares=portainer-secure"
      - "traefik.http.middlewares.portainer-secure.headers.addvaryheader=true"
      - "traefik.http.middlewares.portainer-secure.headers.accesscontrolalloworiginlist=https://homer.fam-steinle.de"
      - "traefik.http.middlewares.portainer-secure.headers.accesscontrolallowheaders=x-api-key"
      - "traefik.http.routers.portainer-secure.tls.certresolver=myresolver"
      - "traefik.http.services.portainer-secure.loadbalancer.server.port=9000"